CVE-2025-67920 - Vulnerability Details

- WordPress Neo Ocular theme < 1.2 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Neo Ocular neoocular allows PHP Local File Inclusion.This issue affects Neo Ocular: from n/a through < 1.2.

Published: 2026-01-08

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Neo Ocular WordPress theme has an improper control of filenames used in PHP include/require statements, which enables a local file inclusion vulnerability. An attacker can supply a crafted value that causes the application to include an arbitrary file from the local filesystem, potentially allowing the attacker to read sensitive configuration files or execute malicious PHP code if the included file is executable. This flaw is classified as CWE‑98 and carries a CVSS score of 8.1, indicating high severity.

Affected Systems

All installations of the Neo Ocular theme by Elated‑Themes running versions earlier than 1.2 are affected. The vulnerability resides in theme files that perform unsanitized include/require operations, therefore any WordPress site that uses the pre‑1.2 releases is at risk.

Risk and Exploitability

We can infer that an attacker would need to influence the path used in an include/require statement, for example through a crafted URL parameter, a manipulated form field, or local administrative access. The EPSS score of less than 1% suggests that current exploitation activity is low, and the vulnerability is not listed in CISA KEV. Nevertheless, local file inclusion can compromise confidentiality or integrity of the site, and the high CVSS score emphasizes the need for timely remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Elated-Themes

Neo Ocular

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.2

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Neo Ocular theme to version 1.2 or later to apply the vendor fix that sanitizes include paths.
If an upgrade cannot be performed immediately, remove or hard‑code any user‑controlled include/require logic to a known safe directory and ensure file paths are validated before inclusion.
Run a file integrity check against the official Neo Ocular distribution to confirm that no malicious code has been introduced into the theme files.

Generated by OpenCVE AI on April 29, 2026 at 21:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00172.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/neoocular/vulnerability/wordpress-neo-ocular-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Theme/neoocular/vulnerability/wordpress-neo-ocular-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/Wordpress/Theme/neoocular/vulnerability/wordpress-neo-ocular-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve

Fri, 09 Jan 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 08 Jan 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 08 Jan 2026 09:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Neo Ocular neoocular allows PHP Local File Inclusion.This issue affects Neo Ocular: from n/a through < 1.2.
Title		WordPress Neo Ocular theme < 1.2 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://vdp.patchstack.com/database/Wordpress/Theme/neoocular/vulnerability/wordpress-neo-ocular-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-01-08T09:17:46.685Z

Updated: 2026-04-28T16:14:23.781Z

Reserved: 2025-12-15T09:59:49.436Z

Link: CVE-2025-67920

Vulnrichment

Updated: 2026-01-08T14:55:29.289Z

NVD

Status : Deferred

Published: 2026-01-08T10:15:50.977

Modified: 2026-04-27T18:16:49.080

Link: CVE-2025-67920

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T22:00:07Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object