Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Nika nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through <= 1.2.14.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Nika WordPress theme contains a PHP file inclusion flaw where the filename used in include/require statements is not properly validated. An attacker can supply a crafted path that points to local files; if the server blindly includes the file, it may expose or execute arbitrary local content, potentially revealing sensitive data or running malicious code.

Affected Systems

This issue affects the WordPress Nika theme sold by thembay. All installations using version 1.2.14 or earlier are vulnerable; newer releases are unaffected.

Risk and Exploitability

The flaw is rated CVSS 8.1, indicating high severity. The EPSS score is less than 1 %, implying low current exploitation likelihood, and the vulnerability is not listed in CISA KEV. Attackers would need web‑access to the site and the ability to influence the include parameter; with those prerequisites they could gain read access to local files or execute code, making the risk significant if the site hosts sensitive data.

Generated by OpenCVE AI on April 29, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Nika theme to the latest version (≥ 1.2.15) where the filename validation has been fixed
  • If an immediate update is not possible, switch to a trusted theme that does not use dynamic includes or temporarily disable the Nika theme to prevent exploitation
  • Verify that file permissions are set correctly so only necessary files are world‑readable and ensure all includes are validated against a whitelist, applying the principle of least privilege

Generated by OpenCVE AI on April 29, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Thembay
Thembay nika
Wordpress
Wordpress wordpress
Vendors & Products Thembay
Thembay nika
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Nika nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through <= 1.2.14.
Title WordPress Nika theme <= 1.2.14 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Thembay Nika
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:30.118Z

Reserved: 2025-12-19T10:17:17.171Z

Link: CVE-2025-68545

cve-icon Vulnrichment

Updated: 2026-02-27T17:02:08.960Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:11.910

Modified: 2026-04-27T19:16:29.410

Link: CVE-2025-68545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T14:45:13Z

Weaknesses