Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes StreamVid streamvid allows PHP Local File Inclusion.This issue affects StreamVid: from n/a through < 6.8.6.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch Now
AI Analysis

Impact

An improper control of filename used in PHP include/require statements in the jwsthemes StreamVid theme allows a local file inclusion flaw. This weakness enables an attacker to read arbitrary files on the server and, if the included file can be overwritten, to execute code with the web server’s privileges. The vulnerability is classified as CWE‑98 and carries a high CVSS score of 8.1, indicating significant risk to confidentiality, integrity, and availability.

Affected Systems

All WordPress installations that use the StreamVid theme by jwsthemes and run any version earlier than 6.8.6 are affected. The risk applies from the earliest release of the theme through to 6.8.5, meaning that any site that has not upgraded to 6.8.6 or later remains vulnerable.

Risk and Exploitability

The CVSS score reflects a high severity level, while the EPSS score of less than 1 % suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote; an attacker can exploit the flaw by crafting a request that manipulates the filename used in an include/require statement, possibly via URL parameters or form inputs. If unauthenticated access is possible, the attacker may read sensitive configuration files or, with write permissions, upload and execute arbitrary code.

Generated by OpenCVE AI on March 26, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the StreamVid theme to version 6.8.6 or later to remove the vulnerable code.
  • Remove any older copies of the StreamVid theme from the WordPress installation to prevent accidental use of the vulnerable version.
  • If an immediate upgrade is not possible, restrict file system permissions so that the web server cannot read or write to directories that are not intended for file inclusion, thereby limiting the impact of any local file inclusion attempts.

Generated by OpenCVE AI on March 26, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Jwsthemes
Jwsthemes streamvid
Wordpress
Wordpress wordpress
Vendors & Products Jwsthemes
Jwsthemes streamvid
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes StreamVid streamvid allows PHP Local File Inclusion.This issue affects StreamVid: from n/a through < 6.8.6.
Title WordPress StreamVid theme < 6.8.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Jwsthemes Streamvid
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T17:06:30.354Z

Reserved: 2026-02-02T12:53:01.429Z

Link: CVE-2026-25379

cve-icon Vulnrichment

Updated: 2026-03-26T18:25:57.835Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:48.250

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-25379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:45:52Z

Weaknesses