CVE-2025-67982 - Vulnerability Details

- WordPress Urna theme <= 2.5.12 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12.

Published: 2026-02-20

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is due to inadequate validation of file names used inside PHP include/require calls in the Urna WordPress theme. An attacker who can supply a crafted path can cause the theme to read or include arbitrary files stored on the server’s file system. The result is exposure of sensitive configuration or data files, and because the included content can be PHP code, the flaw could also enable execution of malicious code if the attacker can control the content of the included file. The description does not state whether execution is confirmed, so the precise impact remains limited to data but the potential for code execution is implied by the nature of the flaw.

Affected Systems

WordPress installations that use the Urna theme version 2.5.12 or older are affected. The flaw exists only in the theme; the core WordPress framework and other plugins are not involved.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, and the low EPSS score of less than 1% suggests that widespread exploitation is unlikely at present. The vulnerability does not appear in the CISA KEV catalog. The most likely attack vector is the theme’s input handling, where an attacker can supply a path that bypasses normal validation and causes the theme to include a local file. Whether additional privileges are required to exploit the flaw is not specified in the CVE data, so it is unclear if an attacker needs administrative access or can operate with normal user rights.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

thembay

Urna

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.5.12

No data.

Vendor Product Confidence Versions

Thembay

Urna

100%

Version	Status	Scheme	Platform
`[0,2.5.12]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest version of the Urna theme (2.5.13 or newer) where the file inclusion check has been implemented.
Configure the web server or .htaccess to deny PHP execution in directories that contain theme files that should not be executed by the web server.
If an update is not immediately possible, implement a custom filter or script that sanitizes or whitelists file names before any include or require statement is executed within the theme.

Generated by OpenCVE AI on April 28, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00056.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/urna/vulnerability/wordpress-urna-theme-2-5-12-local-file-inclusion-vulnerability-2?_s_id=cve

History

Wed, 25 Feb 2026 09:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 24 Feb 2026 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Thembay Thembay urna Wordpress Wordpress wordpress
Vendors & Products		Thembay Thembay urna Wordpress Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12.
Title		WordPress Urna theme <= 2.5.12 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/Wordpress/Theme/urna/vulnerability/wordpress-urna-theme-2-5-12-local-file-inclusion-vulnerability-2?_s_id=cve

Subscriptions

Thembay Urna

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-02-20T15:46:31.376Z

Updated: 2026-04-28T19:31:29.538Z

Reserved: 2025-12-15T10:00:33.670Z

Link: CVE-2025-67982

Vulnrichment

Updated: 2026-02-24T20:37:11.035Z

NVD

Status : Deferred

Published: 2026-02-20T16:22:04.580

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67982

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T17:45:16Z

Weaknesses

CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object