Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Molla molla allows PHP Local File Inclusion.This issue affects Molla: from n/a through <= 1.5.16.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

This vulnerability in the Don-Themes Molla WordPress theme is an improper control of filenames used in include/require statements, allowing the execution of arbitrary local files. An attacker who can influence the parameter resolved by the include can read sensitive files or execute code if the PHP engine is permissive. The flaw is classified as a PHP Local File Inclusion and does not require remote file loading; it relies solely on local file paths.

Affected Systems

The Don-Themes Molla theme for WordPress is affected, specifically all releases up to and including version 1.5.16. No other registered vendors or products are listed, and the vulnerability cuts across the entire version range before 1.5.16.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity risk. The EPSS score of less than 1% suggests that exploitation is unlikely at present, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a local attacker who can supply or manipulate input that is passed directly to an include or require statement. Successful exploitation could lead to information disclosure or code execution within the context of the authenticated user or, if the site is compromised, the entire webserver.

Generated by OpenCVE AI on April 27, 2026 at 20:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Molla theme to the latest available version (which removes the vulnerable include logic).
  • If an upgrade cannot be performed immediately, modify the theme code to validate file names against a strict whitelist before passing them to include or require.
  • Ensure PHP configuration disables insecure operations by setting allow_url_include and allow_url_fopen to Off and limiting the include_path to trusted directories.

Generated by OpenCVE AI on April 27, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Don-themes
Don-themes molla
Wordpress
Wordpress wordpress
Vendors & Products Don-themes
Don-themes molla
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Molla molla allows PHP Local File Inclusion.This issue affects Molla: from n/a through <= 1.5.16.
Title WordPress Molla theme <= 1.5.16 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Don-themes Molla
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:54:14.921Z

Reserved: 2025-12-31T20:12:23.433Z

Link: CVE-2025-69339

cve-icon Vulnrichment

Updated: 2026-03-10T13:15:20.294Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:12.543

Modified: 2026-04-22T21:26:58.303

Link: CVE-2025-69339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:15:12Z

Weaknesses