Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8.
Published: 2026-01-08
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

Improper control of file names in PHP include/require statements enables a local file inclusion flaw. A site that uses the Mikado‑Themes Wellspring theme is able to read arbitrary local files and potentially execute code supplied through those files. The defect receives a CVSS score of 8.1, reflecting substantial confidentiality and integrity risks should an attacker leverage it.

Affected Systems

The vulnerability affects the Mikado‑Themes Wellspring WordPress theme in all releases prior to version 2.8. The description indicates the issue exists from the initial release through any version lower than 2.8, so any site still using a pre‑2.8 version is potentially exposed.

Risk and Exploitability

The EPSS score is listed as less than 1 %, suggesting rare exploitation at present, and the vulnerability is not in the CISA KEV catalog. Attacks would likely originate from a remote web user exploiting the theme’s file inclusion logic, though a local attacker could also gain advantage depending on server configuration. Because the flaw hinges on unvalidated file paths, the risk remains significant until the theme is updated or mitigated.

Generated by OpenCVE AI on April 28, 2026 at 10:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Mikado‑Themes Wellspring 2.8 or later.
  • If an immediate update is not possible, block or sanitize any user‑controlled file paths used by the theme, such as filtering slashes and dot‑dot sequences in GET or POST parameters that reach include/require.
  • As an additional safeguard, configure PHP with allow_url_include set to Off and enforce a conservative open_basedir restriction so that the web application cannot read files outside the intended directories.

Generated by OpenCVE AI on April 28, 2026 at 10:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 27 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Qodeinteractive
Qodeinteractive wellspring
CPEs cpe:2.3:a:qodeinteractive:wellspring:*:*:*:*:*:wordpress:*:*
Vendors & Products Qodeinteractive
Qodeinteractive wellspring

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes wellspring
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes wellspring
Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8.
Title WordPress Wellspring theme < 2.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Wellspring
Qodeinteractive Wellspring
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:24.212Z

Reserved: 2025-12-15T09:59:55.701Z

Link: CVE-2025-67934

cve-icon Vulnrichment

Updated: 2026-01-08T18:43:07.787Z

cve-icon NVD

Status : Modified

Published: 2026-01-08T10:15:52.533

Modified: 2026-04-27T18:16:50.600

Link: CVE-2025-67934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:15:28Z

Weaknesses