CVE-2025-69373 - Vulnerability Details

- WordPress VidoRev theme <= 2.9.9.9.9.9.7 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9.7.

Published: 2026-02-20

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw stems from inadequate validation of filenames used in a PHP include/require statement within the beeteam368 VidoRev WordPress theme. As a result, an attacker can supply a filename that leads the server to include any file from the local filesystem. This can expose sensitive files to the attacker and, in circumstances where the included file contains executable PHP code, could allow that code to run on the web server.

Affected Systems

The vulnerability affects the beeteam368 VidoRev theme for WordPress. All releases from the earliest available version through 2.9.9.9.9.9.7 are susceptible. WordPress installations deploying any of these theme versions are impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity of impact. The EPSS score of less than 1% suggests that, at present, exploitation attempts are expected to be uncommon. The vulnerability is not listed in the CISA KEV database, so no widespread exploitation campaigns are known. The likely attack vector is a crafted HTTP request to a page or endpoint of the vulnerable theme that supplies a controlled filename parameter to trigger the PHP include logic. Successful exploitation would give the attacker the ability to read arbitrary files on the server or, if a malicious PHP script can be placed in a reachable location, execute that script on the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

beeteam368

VidoRev

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.9.9.9.9.9.7

No data.

Vendor Product Confidence Versions

Beeteam368

Vidorev

100%

Version	Status	Scheme	Platform
`[0,2.9.9.9.9.9.7]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the VidoRev theme to a version newer than 2.9.9.9.9.9.7
If an upgrade is not possible, modify the theme’s file‑include logic to validate any filenames against a whitelist or restrict the include paths to a predefined set of safe files
If code modification cannot be performed, consider disabling the theme or reducing file system permissions so that local files cannot be included via the web interface

Generated by OpenCVE AI on April 28, 2026 at 09:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0017.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/vidorev/vulnerability/wordpress-vidorev-theme-2-9-9-9-9-9-7-local-file-inclusion-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 24 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Beeteam368 Beeteam368 vidorev Wordpress Wordpress wordpress
Vendors & Products		Beeteam368 Beeteam368 vidorev Wordpress Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9.7.
Title		WordPress VidoRev theme <= 2.9.9.9.9.9.7 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/Wordpress/Theme/vidorev/vulnerability/wordpress-vidorev-theme-2-9-9-9-9-9-7-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Beeteam368 Vidorev

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-02-20T15:46:51.695Z

Updated: 2026-04-28T16:14:39.622Z

Reserved: 2025-12-31T20:13:05.451Z

Link: CVE-2025-69373

Vulnrichment

Updated: 2026-02-24T20:11:16.541Z

NVD

Status : Deferred

Published: 2026-02-20T16:22:21.580

Modified: 2026-04-27T21:16:25.567

Link: CVE-2025-69373

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T09:30:26Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object