Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.15.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the thembay Diza WordPress theme, which fails to properly validate filenames used in its PHP include/require statements. This flaw allows a local file inclusion that could enable an attacker to read or execute arbitrary files on the server. This is a CWE-98 vulnerability. Based on the description, it is inferred that if the attacker can influence which file is included, they might read sensitive files or execute PHP code, leading to remote code execution.

Affected Systems

The flaw affects WordPress sites that use the thembay Diza theme version 1.3.15 and earlier. Any installation using a newer version is not affected. No other WordPress themes or plugins are listed in the CVE record.

Risk and Exploitability

The CVSS score of 8.1 classifies the vulnerability as high severity, but the EPSS score of less than 1% indicates a very low current exploitation probability. The issue is not yet included in the CISA KEV catalog. Attackers are likely to exploit the vulnerability by manipulating input that the theme uses to build file paths for include/require calls. Such an attack typically requires access to modify theme parameters or the ability to upload files to the server. Given the lack of path sanitization, an attacker could include a locally stored PHP file and trigger remote code execution. This inferred attack vector is based on the nature of the flaw and the lack of defensive checks in the theme code.

Generated by OpenCVE AI on April 29, 2026 at 12:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Diza theme to a version newer than 1.3.15 if available.
  • Disable or remove the theme from the WordPress installation if updating is not practicable.
  • Restrict file permissions so that the theme directory cannot be written to by non‑administrative users, and employ a web application firewall or file‑integrity monitoring to detect attempts to include unauthorized files.

Generated by OpenCVE AI on April 29, 2026 at 12:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Thembay
Thembay diza
Wordpress
Wordpress wordpress
Vendors & Products Thembay
Thembay diza
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.15.
Title WordPress Diza theme <= 1.3.15 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Thembay Diza
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:01:26.897Z

Reserved: 2025-12-19T10:17:09.987Z

Link: CVE-2025-68543

cve-icon Vulnrichment

Updated: 2026-02-24T20:39:00.093Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:11.777

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68543

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:00:06Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')