Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.15.
Published: 2025-12-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from improper control of the filename used in a PHP include/require statement. An attacker could supply a crafted filename that causes the application to include a local file. This could result in reading sensitive files such as configuration files, database credentials, or system files, and if an arbitrary PHP file is included, it could lead to remote code execution. The weakness is captured by CWE-98.

Affected Systems

WordPress installations that have the thembay Aora theme version 1.3.15 or earlier installed and active are affected. No specific WordPress core versions are listed, so any site running the vulnerable theme is at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests that exploitation is currently unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. The likely attack vector is through a web‑based request that triggers the inclusion of a crafted file path, inferred from the description as the theme mismanages file names on the server side. The exploit would require an attacker to influence the input that determines the included filename.

Generated by OpenCVE AI on April 29, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Aora theme to version 1.3.16 or later to remove the vulnerable include logic.
  • If an immediate upgrade is not possible, disable the vulnerable include feature by removing or commenting out the code that performs the include/require based on user input.
  • Restrict file system access for the web server by configuring directory permissions or using .htaccess rules to deny access to sensitive files and directories, preventing the inclusion of critical files even if the application's include logic remains.

Generated by OpenCVE AI on April 29, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.15.
Title WordPress Aora theme <= 1.3.15 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:33.567Z

Reserved: 2025-12-29T11:18:04.293Z

Link: CVE-2025-68985

cve-icon Vulnrichment

Updated: 2025-12-30T21:42:10.314Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T11:15:57.213

Modified: 2026-04-27T19:16:39.697

Link: CVE-2025-68985

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:30:17Z

Weaknesses