Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion.This issue affects DiveIt: from n/a through <= 1.4.3.
Published: 2026-01-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filename in PHP include/require statements, identified as a Local File Inclusion flaw (CWE‑98). An attacker could supply a crafted path that results in the theme including an arbitrary local file from the server. This can lead to disclosure of sensitive data, or if the included file contains code, potentially remote code execution. The vulnerability exists through DiveIt version 1.4.3 inclusive.

Affected Systems

WordPress sites that use the AncoraThemes DiveIt theme. The vulnerability affects all releases of the theme from its initial version up through and including 1.4.3.

Risk and Exploitability

The CVSS score of 8.1 signals a high severity vulnerability, and the EPSS score of less than 1% indicates a low probability of exploitation currently. The flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated HTTP request that supplies a path parameter to a form, script or admin option that is directly passed to an include or require call. No special privileges or authentication appear to be required, meaning the compromise could be carried out by anyone who can access the affected website.

Generated by OpenCVE AI on April 29, 2026 at 10:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the DiveIt theme to a version newer than 1.4.3, ensuring the vulnerability is fixed.
  • Review any custom code that passes user supplied values to include or require statements and add strict validation or whitelisting of file paths.
  • Restrict file permissions on theme directories and configure the web server to prevent direct access to sensitive PHP or configuration files.

Generated by OpenCVE AI on April 29, 2026 at 10:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion.This issue affects DiveIt: from n/a through <= 1.4.3.
Title WordPress DiveIt theme <= 1.4.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:37:40.263Z

Reserved: 2025-12-29T11:18:59.801Z

Link: CVE-2025-69059

cve-icon Vulnrichment

Updated: 2026-01-28T21:40:46.500Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:19.650

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:30:09Z

Weaknesses