{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25380", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:01.429Z", "datePublished": "2026-03-25T16:14:46.878Z", "dateUpdated": "2026-03-25T16:14:46.878Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "feedy", "product": "Feedy", "vendor": "jwsthemes", "versions": [{"changes": [{"at": "2.1.5", "status": "unaffected"}], "lessThanOrEqual": "< 2.1.5", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:27.299Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Feedy feedy allows PHP Local File Inclusion.<p>This issue affects Feedy: from n/a through < 2.1.5.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Feedy feedy allows PHP Local File Inclusion.This issue affects Feedy: from n/a through < 2.1.5."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:46.878Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/feedy/vulnerability/wordpress-feedy-theme-2-1-5-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Feedy theme < 2.1.5 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Feedy feedy allows PHP Local File Inclusion.This issue affects Feedy: from n/a through < 2.1.5."}], "id": "CVE-2026-25380", "lastModified": "2026-03-25T17:16:48.397", "metrics": {}, "published": "2026-03-25T17:16:48.397", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/feedy/vulnerability/wordpress-feedy-theme-2-1-5-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:57:39.349480+00:00", "value": {"mitigation_remediation": ["Update the Feedy theme to version 2.1.5 or later", "If an update is not possible, deactivate or delete the Feedy theme from the WordPress installation"], "summary": {"action": "Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The issue affects the jwsthemes Feedy theme for WordPress. All released versions prior to 2.1.5 are vulnerable, as the flaw exists from the initial release through the 2.1.4 line. No additional product or version information is supplied.", "description_and_impact": "The vulnerability arises from improper control of the filename used in PHP include/require statements in the Feedy theme. This flaw permits a Local File Inclusion attack, letting an attacker read or execute arbitrary files on the server. The weakness maps to CWE\u201198. The impact is the potential exposure of sensitive server files or execution of unauthorized code, compromising confidentiality and integrity of the affected web application.", "risk_and_exploitability": "The CVSS score is not disclosed, but Local File Inclusion vulnerabilities typically carry a high risk of exploitation. EPSS data is unavailable and the vulnerability is not listed in KEV. The likely attack vector is via a crafted HTTP request that manipulates a file path parameter, allowing remote exploitation where the attacker can trigger the inclusion of local files. Exploitation conditions do not appear to require privileged access, suggesting that any authenticated or unauthenticated user with access to the affected URLs could potentially abuse the flaw."}}}}, "created": "2026-03-25T21:44:44.992776+00:00", "updated": "2026-03-25T21:44:44.992801+00:00", "vendors": []}