Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeGoods Photography photography allows PHP Local File Inclusion.This issue affects Photography: from n/a through < 7.7.5.
Published: 2026-01-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Photography theme from ThemeGoods contains an improper filename sanitization flaw that allows attackers to manipulate the include/require statement in PHP. This vulnerability can lead to local file inclusion on the web server, potentially exposing sensitive files or allowing code execution depending on the server configuration and the files that can be included. The flaw is rated CVSS 8.1, indicating a high severity impact on confidentiality and integrity.

Affected Systems

WordPress installations that use the Photography theme version 7.7.4 or earlier are affected. Any site that has not upgraded to 7.7.5 or newer is vulnerable.

Risk and Exploitability

The CVSS score of 8.1 signals a major risk, but the EPSS score of less than 1% suggests that exploit attempts are currently rare. The vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve crafting a request that provides an attacker‑controlled file path to the include/require call; if the application accepts user‑supplied filenames without proper validation, an attacker may exploit the flaw remotely without needing privileged access.

Generated by OpenCVE AI on April 29, 2026 at 11:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Photography theme to version 7.7.5 or later, which contains the fix for the filename validation issue.
  • If an upgrade is not immediately possible, configure the web server to block PHP execution in directories that are not meant to house application code, and ensure that the theme’s include paths point only to safe, read‑only locations.
  • Review the application’s file inclusion logic to confirm that all file paths are validated against a whitelist and that no user input can influence the path beyond the intended scope.

Generated by OpenCVE AI on April 29, 2026 at 11:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeGoods Photography photography allows PHP Local File Inclusion.This issue affects Photography: from n/a through < 7.7.5.
Title WordPress Photography theme < 7.7.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:59:53.707Z

Reserved: 2025-12-19T10:16:51.230Z

Link: CVE-2025-68510

cve-icon Vulnrichment

Updated: 2026-01-27T21:44:21.434Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:10.523

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68510

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:30:09Z

Weaknesses