Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35.
Published: 2025-12-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper validation of file paths in a PHP include statement allows an attacker to force the WordPress Fana theme to include arbitrary files from the local file system. This local file inclusion can lead to disclosure of sensitive configuration files or credentials and may provide an initial foothold for further exploitation if the site runs with elevated privileges.

Affected Systems

The vulnerability exists in the WordPress Fana theme developed by thembay. All releases of the theme up to and including version 1.1.35 are affected. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is under 1%, suggesting a low current exploitation probability, and the CVE is not in the CISA KEV catalog. It is inferred from the description that the vulnerability could be triggered by inputs that influence the include statement, such as certain URL parameters or form fields; however, the official description does not explicitly specify the exact attack vector. An attacker must be able to reach the WordPress installation and supply appropriate input; the local nature of the flaw does not permit remote code execution from the network, but it can expose privileged files that may assist in a broader attack.

Generated by OpenCVE AI on April 29, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Fana theme to the latest release (≥ 1.1.36) or any non‑vulnerable version.
  • If an upgrade is not immediately possible, replace or delimit the unsanitized include statements in the theme files, or disable the theme altogether and use a patched version.
  • Apply a web‑application firewall rule to block requests that attempt to trigger local file inclusion, or restrict access to the theme’s include directories to prevent unintended file reads.

Generated by OpenCVE AI on April 29, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 29 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 24 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Dec 2025 12:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35.
Title WordPress Fana theme <= 1.1.35 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:29.564Z

Reserved: 2025-12-19T10:17:09.987Z

Link: CVE-2025-68540

cve-icon Vulnrichment

Updated: 2025-12-24T19:05:53.621Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T13:16:23.093

Modified: 2026-04-27T19:16:29.287

Link: CVE-2025-68540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:45:17Z

Weaknesses