Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.This issue affects Belletrist: from n/a through <= 1.2.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion potentially allowing unauthorized code execution
Action: Patch Immediately
AI Analysis

Impact

Improper control of the filename used in a PHP include/require statement creates a local file inclusion flaw in the Edge‑Themes Belletrist WordPress theme. An attacker could supply a path that references sensitive or executable files on the server, leading to the execution of code or disclosure of application secrets. The weakness is represented by CWE‑98, which describes insecure management of filenames in file inclusion mechanisms.

Affected Systems

WordPress sites that use the Edge‑Themes Belletrist theme version 1.2 or earlier are affected. The issue exists from the earliest available version through the current 1.2 release. No specific patch version is listed, so any upgrade to a version newer than 1.2 removes the vulnerability.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity assessment, yet the EPSS score is < 1%, suggesting a low current exploitation probability. Because the flaw is a local file inclusion, it requires the attacker to be able to inject a file path into the application’s include logic; the attack vector is likely via a web request that manipulates a parameter. The vulnerability is not listed in the CISA KEV catalog, so no public exploit must be known. Nonetheless, the high severity and potential for code execution make the risk significant for sites that have not upgraded the theme.

Generated by OpenCVE AI on April 27, 2026 at 20:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Belletrist theme to a version newer than 1.2 to remove the vulnerable code
  • If immediate upgrade is not possible, restrict filesystem permissions on the theme directory to prevent reading of sensitive files that could be included
  • Validate and sanitize any user‑supplied path arguments before they reach the include/require statement, ensuring only legitimate, whitelisted file paths are processed.

Generated by OpenCVE AI on April 27, 2026 at 20:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Edge-themes
Edge-themes belletrist
Wordpress
Wordpress wordpress
Vendors & Products Edge-themes
Edge-themes belletrist
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.This issue affects Belletrist: from n/a through <= 1.2.
Title WordPress Belletrist theme <= 1.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Edge-themes Belletrist
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T21:01:43.654Z

Reserved: 2025-12-31T20:13:23.068Z

Link: CVE-2025-69410

cve-icon Vulnrichment

Updated: 2026-02-24T20:31:28.300Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:29.157

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69410

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:15:12Z

Weaknesses