Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Yolox yolox allows PHP Local File Inclusion.This issue affects Yolox: from n/a through <= 1.0.15.
Published: 2026-01-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress theme Yolox contains an LFI vulnerability due to improper validation of a filename supplied to a PHP include statement. This flaw can allow an attacker to read arbitrary local files or, if the attacker can influence the included file to contain PHP code, execute it. The weakness is classified as CWE-98, indicating lack of proper control of file name. The primary impact is disclosure of sensitive configuration files and the potential to compromise the entire WordPress installation.

Affected Systems

All versions of the AncoraThemes Yolox theme up to and including 1.0.15 are affected. The vulnerability is present in every release from the initial version through 1.0.15. Users running WordPress with any of these versions of the theme should consider the theme version a risk.

Risk and Exploitability

The CVSS score of 8.1 signals high severity, but the EPSS score is under 1%, indicating low projected exploitation probability. The flaw is not listed in CISA KEV. This LFI typically requires the attacker to supply a crafted URL or request that influences the theme’s file inclusion logic. Since no authentication requirement is mentioned, inclusion likely requires public web access, giving attackers a straightforward attack vector.

Generated by OpenCVE AI on April 29, 2026 at 10:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Yolox version 1.0.16 or later
  • Replace the theme with a secure alternative or remove it if it is not essential
  • Apply the host‑level PHP configuration to disallow unsafe file includes (disable allow_url_include and use open_basedir restrictions)

Generated by OpenCVE AI on April 29, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Yolox yolox allows PHP Local File Inclusion.This issue affects Yolox: from n/a through <= 1.0.15.
Title WordPress Yolox theme <= 1.0.15 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:40:45.508Z

Reserved: 2025-12-29T11:19:12.554Z

Link: CVE-2025-69075

cve-icon Vulnrichment

Updated: 2026-01-28T21:29:15.159Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:21.610

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69075

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:30:08Z

Weaknesses