Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Mella mella allows PHP Local File Inclusion.This issue affects Mella: from n/a through <= 1.2.29.
Published: 2026-01-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Mella theme contains improper control of the filename used in a PHP include/require statement, allowing an attacker to supply arbitrary local file paths through a vulnerable parameter. By exploiting this, an attacker can read sensitive files on the server or execute arbitrary PHP code if a writable file can be placed in a path that the theme will subsequently include.

Affected Systems

All installations of the BZOTheme Mella theme with versions ranging from its initial release through 1.2.29 are affected. Any site that has one of these versions installed is vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 8.1, indicating high severity, but its EPSS score is less than 1%, suggesting a low current threat of exploitation. It is not listed in the CISA KEV catalog. Likely exploitation would involve an attacker sending a specially crafted HTTP request to the vulnerable endpoint, including a file path that bypasses basic filtering, to read or execute local files.

Generated by OpenCVE AI on April 29, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Mella theme to any version newer than 1.2.29 that removes the vulnerable include logic.
  • If an immediate update is not possible, disable the vulnerable endpoint by removing or renaming the plugin file that performs the include, or block it with a web‑server rule that denies all remote requests to that file.
  • Configure PHP to disable allow_url_include and enforce safe_mode, and use a web‑application firewall to block patterns indicative of LFI attempts.

Generated by OpenCVE AI on April 29, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Mella mella allows PHP Local File Inclusion.This issue affects Mella: from n/a through <= 1.2.29.
Title WordPress Mella theme <= 1.2.29 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:25:22.664Z

Reserved: 2025-12-09T16:46:41.863Z

Link: CVE-2025-67616

cve-icon Vulnrichment

Updated: 2026-01-29T01:14:42.599Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:01.843

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67616

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:30:09Z

Weaknesses