Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Hyori hyori allows PHP Local File Inclusion.This issue affects Hyori: from n/a through <= 1.3.6.
Published: 2026-01-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Hyori theme contains an improper filename control for include/require statements in PHP, allowing attackers to perform local file inclusion and potentially execute arbitrary code. This flaw may enable an attacker to read sensitive files on the server or inject PHP code that is subsequently executed, leading to full compromise of the affected WordPress installation.

Affected Systems

This vulnerability affects the Hyori WordPress theme provided by goalthemes, versions up to and including 1.3.6. All deployments of the theme that have not upgraded past 1.3.6 are vulnerable, regardless of WordPress core version.

Risk and Exploitability

The CVSS score of 8.1 classifies the issue as high severity; the EPSS score of <1% indicates a very low probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, the nature of LFI means an attacker who can manipulate the include path could gain code execution, especially if the attacker can place a malicious file in an accessible directory. Based on the description, it is inferred that the attack vector is remote, triggered through crafted URL parameters or form inputs that the theme consumes.

Generated by OpenCVE AI on April 29, 2026 at 11:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Hyori theme version 1.3.7 or later.
  • If an upgrade is not immediately possible, configure the web server to deny PHP execution in the theme's directories and remove any writable file uploads within the theme.
  • Deploy a web application firewall rule set that blocks local file inclusion patterns and logs suspicious attempts.

Generated by OpenCVE AI on April 29, 2026 at 11:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Hyori hyori allows PHP Local File Inclusion.This issue affects Hyori: from n/a through <= 1.3.6.
Title WordPress Hyori theme <= 1.3.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:34:46.569Z

Reserved: 2025-12-29T11:18:40.734Z

Link: CVE-2025-69038

cve-icon Vulnrichment

Updated: 2026-01-28T16:33:03.721Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:16.870

Modified: 2026-06-17T10:00:07.587

Link: CVE-2025-69038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:30:09Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')