Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Feedy feedy allows PHP Local File Inclusion.This issue affects Feedy: from n/a through < 2.1.5.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

Improper control of filename in an include/require statement allows an attacker to include local files via the Feedy WordPress theme, potentially enabling the reading of sensitive files and execution of arbitrary PHP code if a suitable local path can be supplied. The primary impact is the compromise of data confidentiality and the potential elevation of privilege to execute code on the server. This weakness is a classic file‑inclusion flaw, identified by CWE‑98.

Affected Systems

The vulnerability affects all instances of the jwsthemes Feedy theme running any version prior to 2.1.5. Versions 2.1.5 and newer are not impacted.

Risk and Exploitability

With a CVSS score of 8.1 the flaw is of high severity, yet the EPSS score of under 1% suggests it has not yet been widely exploited; it is also not listed in the CISA KEV catalog. The likely attack vector is local, requiring an attacker to trigger the vulnerable include via the theme’s web interface, and there is no evidence this can be triggered remotely. The risk can be mitigated by applying the official patch or disabling the theme.

Generated by OpenCVE AI on March 26, 2026 at 18:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Feedy theme to version 2.1.5 or later.
  • If an upgrade is not immediately possible, disable or delete the Feedy theme until the patch is applied.
  • Inspect the site for unexpected files or code and review access logs for signs of exploitation attempts.

Generated by OpenCVE AI on March 26, 2026 at 18:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Jwsthemes
Jwsthemes feedy
Wordpress
Wordpress wordpress
Vendors & Products Jwsthemes
Jwsthemes feedy
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Feedy feedy allows PHP Local File Inclusion.This issue affects Feedy: from n/a through < 2.1.5.
Title WordPress Feedy theme < 2.1.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Jwsthemes Feedy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:09.621Z

Reserved: 2026-02-02T12:53:01.429Z

Link: CVE-2026-25380

cve-icon Vulnrichment

Updated: 2026-03-26T17:04:48.549Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:48.397

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-25380

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:45:51Z

Weaknesses