{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25457", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:53.793Z", "datePublished": "2026-03-25T16:14:50.698Z", "dateUpdated": "2026-03-25T16:14:50.698Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "mixtape", "product": "Mixtape", "vendor": "Select-Themes", "versions": [{"lessThanOrEqual": "<= 2.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:30.006Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Mixtape mixtape allows PHP Local File Inclusion.<p>This issue affects Mixtape: from n/a through <= 2.1.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Mixtape mixtape allows PHP Local File Inclusion.This issue affects Mixtape: from n/a through <= 2.1."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:50.698Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/mixtape/vulnerability/wordpress-mixtape-theme-2-1-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Mixtape theme <= 2.1 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Mixtape mixtape allows PHP Local File Inclusion.This issue affects Mixtape: from n/a through <= 2.1."}], "id": "CVE-2026-25457", "lastModified": "2026-03-25T17:16:51.877", "metrics": {}, "published": "2026-03-25T17:16:51.877", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/mixtape/vulnerability/wordpress-mixtape-theme-2-1-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:50:11.782313+00:00", "value": {"mitigation_remediation": ["Check for and apply the latest official patch or version of the Mixtape theme."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The issue affects the Select\u2011Themes Mixtape theme for WordPress. All released versions up to and including version 2.1 are impacted, as the vulnerability exists across the entire version range from the first release through 2.1.", "description_and_impact": "The vulnerability arises from improper control of the filename used in PHP's include/require statements within the Mixtape theme. This flaw allows an attacker to include arbitrary files from the server, potentially exposing sensitive data or enabling remote code execution if a malicious PHP file can be loaded. The weakness is classified under CWE\u201198 and can result in the compromise of confidentiality, integrity, or availability of the affected WordPress installation.", "risk_and_exploitability": "No CVSS or EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. Nonetheless, the local file inclusion defect presents a high risk because it can be triggered by manipulating input that is processed by the theme. The attack vector is likely via crafted URLs or form submissions that cause the theme to include a file path supplied by the attacker. In the absence of a publicly available patch, administrators should act promptly to update or otherwise mitigate the vulnerability."}}}}, "created": "2026-03-25T21:44:22.314260+00:00", "updated": "2026-03-25T21:44:22.314291+00:00", "vendors": []}