Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Nika nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through <= 1.2.14.
Published: 2025-12-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper control of the filename used in an include/require statement in PHP. The flaw allows an attacker to specify arbitrary local file paths to be included or read by the WordPress Nika theme. Because the included content is processed as PHP code, the attack can reveal sensitive configuration files, database credentials, or other private data, raising confidentiality concerns. The weakness is classified as CWE‑98.

Affected Systems

All installations of the Nika theme for WordPress through version 1.2.14 are affected. This includes any WordPress site that has not yet updated the theme beyond that release. The thematic code is maintained by thembay and the issue applies to the entire product line up to that version.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, indicating high severity. The EPSS score is below 1 %, suggesting a low probability of exploitation in the near term. It is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local, occurring when the theme processes input that determines the filename, but it could be triggered remotely if a user supply point controls that input indirectly.

Generated by OpenCVE AI on April 29, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Nika theme to a version newer than 1.2.14 that eliminates the vulnerable code.
  • If an update is not yet available, modify the theme’s PHP files to validate and sanitize any filename parameters before they are passed to include or require, or remove the vulnerable code paths entirely.
  • Restrict direct web access to sensitive files and directories such as /wp-config.php or /.env by configuring the web server or the theme so they cannot be included.

Generated by OpenCVE AI on April 29, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Thembay Nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through 1.2.14. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Nika nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through <= 1.2.14.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 23 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Dec 2025 12:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Thembay Nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through 1.2.14.
Title WordPress Nika theme <= 1.2.14 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:30.256Z

Reserved: 2025-12-19T10:17:17.171Z

Link: CVE-2025-68546

cve-icon Vulnrichment

Updated: 2025-12-23T14:14:51.682Z

cve-icon NVD

Status : Deferred

Published: 2025-12-23T12:15:45.457

Modified: 2026-04-23T15:36:00.263

Link: CVE-2025-68546

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:45:17Z

Weaknesses