Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur struktur allows PHP Local File Inclusion.This issue affects Struktur: from n/a through <= 2.5.1.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion leading to possible code execution
Action: Patch Now
AI Analysis

Impact

The reported vulnerability stems from an improper control of the filename used in a PHP include statement within the Select‑Themes Struktur theme. An attacker who can influence the include path may cause the application to load arbitrary local files, potentially exposing sensitive data or enabling remote code execution. This weakness is classified as CWE‑98 and carries a CVSS score of 8.1, indicating a high potential for compromise if exploited.

Affected Systems

WordPress installations that use the Struktur theme from its initial release through version 2.5.1 are affected. All older releases, as well as the 2.5.1 build, retain the flaw.

Risk and Exploitability

The EPSS score of less than 1% suggests low current exploitation activity, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the high CVSS score reflects significant impact should the flaw be leveraged. The likely attack vector involves a web‑based request that manipulates the include path via user input, enabling the attacker to read or execute local files on the server.

Generated by OpenCVE AI on April 27, 2026 at 20:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Struktur theme to the latest available version (2.5.2 or newer).
  • If an upgrade is not immediately feasible, disable or remove the Struktur theme from the WordPress installation until a patched version is released.
  • Inspect and sanitize any custom code in the theme or related plugins that performs include/require operations, ensuring file paths are validated against a whitelist and do not accept arbitrary user input.

Generated by OpenCVE AI on April 27, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Select-themes
Select-themes struktur
Wordpress
Wordpress wordpress
Vendors & Products Select-themes
Select-themes struktur
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur struktur allows PHP Local File Inclusion.This issue affects Struktur: from n/a through <= 2.5.1.
Title WordPress Struktur theme <= 2.5.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Select-themes Struktur
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T21:01:12.190Z

Reserved: 2025-12-31T20:13:23.067Z

Link: CVE-2025-69407

cve-icon Vulnrichment

Updated: 2026-02-24T20:31:40.375Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:27.087

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69407

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:15:12Z

Weaknesses