Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion.This issue affects Muji: from n/a through <= 1.2.0.
Published: 2026-01-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Muji theme for WordPress permits inclusion of arbitrary local files through an unchecked filename supplied to a PHP include statement. This flaw allows an attacker to read any file that the web server’s process can access, exposing sensitive configuration files, credentials, or other secrets. The vulnerability is a classic Local File Inclusion (LFI) issue arising from improper control of filenames in PHP code.

Affected Systems

All WordPress installations that use the Muji theme version 1.2.0 or earlier are affected. AncoraThemes Muji distributions from the legacy release through <=1.2.0 contain the vulnerable include logic.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity flaw. The EPSS probability is listed as less than 1 percent, suggesting that current exploitation attempts are unlikely but the risk persists. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could supply a path or filename via a request parameter that bypasses the check and triggers the include, enabling arbitrary file reads. Successful exploitation would depend on the server’s file permissions and PHP configuration, but no remote code execution capability is explicitly documented in the input.

Generated by OpenCVE AI on April 29, 2026 at 10:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Muji theme to the latest version that removes the unsafe include logic
  • Limit the files readable by the web server by setting appropriate directory and file permissions on the WordPress application
  • Validate or whitelist any filename parameters used by the theme before passing them to include statements

Generated by OpenCVE AI on April 29, 2026 at 10:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion.This issue affects Muji: from n/a through <= 1.2.0.
Title WordPress Muji theme <= 1.2.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:39:00.772Z

Reserved: 2025-12-29T11:19:06.667Z

Link: CVE-2025-69068

cve-icon Vulnrichment

Updated: 2026-01-28T21:37:41.717Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:20.820

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:00:10Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')