Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm stockholm allows PHP Local File Inclusion.This issue affects Stockholm: from n/a through <= 9.14.1.
Published: 2025-12-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion potentially enabling unauthorized file access or code execution
Action: Patch Immediately
AI Analysis

Impact

Improper control of the filename used in a PHP include/require statement in the Stockholm theme allows Local File Inclusion. If an attacker can influence the included filename, they may read arbitrary files from the server or include and execute remote files, potentially escalating to code execution or sensitive data disclosure. The vulnerability is categorized as CWE-98, reflecting insecure handling of file paths.

Affected Systems

WordPress installations that have the Stockholm theme version 9.14.1 or earlier are affected. This includes any site using the Select‑Themes Stockholm template from its initial release up through version 9.14.1. No specific WordPress core or PHP version constraints are stated in the advisory.

Risk and Exploitability

The CVSS base score is 7.5, indicating a significant severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation within the current timeframe, and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector involves a crafted HTTP request targeting the vulnerable theme’s input that controls the include path, allowing an attacker with internet access to exploit the local file inclusion. Because it is a local vulnerability, it generally requires the attacker to be able to influence the request to the WordPress instance but does not rely on privileged user credentials.

Generated by OpenCVE AI on April 27, 2026 at 22:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Stockholm theme to the latest version, which removes the insecure include path handling.
  • If an immediate theme upgrade is not possible, temporarily restrict or remove any theme options that allow dynamic file inclusion or hard‑code a whitelist for allowed file paths within the theme’s PHP files.
  • Enable file access logging, monitor for unusual file inclusion attempts, and ensure that the web server’s file permissions limit read access to sensitive directories, adding WAF rules to block suspicious file inclusion patterns.

Generated by OpenCVE AI on April 27, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 17 Dec 2025 05:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Tue, 16 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Select-themes
Select-themes stockholm
Wordpress
Wordpress wordpress
Vendors & Products Select-themes
Select-themes stockholm
Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm stockholm allows PHP Local File Inclusion.This issue affects Stockholm: from n/a through <= 9.14.1.
Title WordPress Stockholm theme <= 9.14.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Select-themes Stockholm
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:57:43.772Z

Reserved: 2025-12-15T10:01:19.544Z

Link: CVE-2025-68068

cve-icon Vulnrichment

Updated: 2025-12-16T20:40:06.099Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:16:02.143

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:30:14Z

Weaknesses