{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25380", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:01.429Z", "datePublished": "2026-03-25T16:14:46.878Z", "dateUpdated": "2026-04-28T16:14:56.984Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "feedy", "product": "Feedy", "vendor": "jwsthemes", "versions": [{"changes": [{"at": "2.1.5", "status": "unaffected"}], "lessThanOrEqual": "2.1.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:31.373Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Feedy feedy allows PHP Local File Inclusion.<p>This issue affects Feedy: from n/a through < 2.1.5.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Feedy feedy allows PHP Local File Inclusion.This issue affects Feedy: from n/a through < 2.1.5."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:56.984Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/feedy/vulnerability/wordpress-feedy-theme-2-1-5-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Feedy theme < 2.1.5 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T17:04:58.104024Z", "id": "CVE-2026-25380", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:37:46.804Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25380", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T17:04:58.104024Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:04:48.549Z"}}], "cna": {"title": "WordPress Feedy theme < 2.1.5 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "jwsthemes", "product": "Feedy", "versions": [{"status": "affected", "changes": [{"at": "2.1.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.5"}], "packageName": "feedy", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:31.373Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/feedy/vulnerability/wordpress-feedy-theme-2-1-5-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Feedy feedy allows PHP Local File Inclusion.This issue affects Feedy: from n/a through < 2.1.5.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Feedy feedy allows PHP Local File Inclusion.<p>This issue affects Feedy: from n/a through < 2.1.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:56.984Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25380", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:56.984Z", "dateReserved": "2026-02-02T12:53:01.429Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:46.878Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Feedy feedy allows PHP Local File Inclusion.This issue affects Feedy: from n/a through < 2.1.5."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en el programa PHP ('PHP inclusi\u00f3n remota de ficheros') vulnerabilidad en jwsthemes Feedy feedy permite PHP inclusi\u00f3n local de ficheros. Este problema afecta a Feedy: desde n/a hasta &lt; 2.1.5."}], "id": "CVE-2026-25380", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:48.397", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/feedy/vulnerability/wordpress-feedy-theme-2-1-5-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Feedy", "source": "cna", "vendor": "jwsthemes"}, "product": "feedy", "vendor": "jwsthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T18:43:28.914981+00:00", "value": {"mitigation_remediation": ["Upgrade the Feedy theme to version 2.1.5 or later. ", "If an upgrade is not immediately possible, disable or delete the Feedy theme until the patch is applied. ", "Inspect the site for unexpected files or code and review access logs for signs of exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all instances of the jwsthemes Feedy theme running any version prior to 2.1.5. Versions 2.1.5 and newer are not impacted.", "description_and_impact": "Improper control of filename in an include/require statement allows an attacker to include local files via the Feedy WordPress theme, potentially enabling the reading of sensitive files and execution of arbitrary PHP code if a suitable local path can be supplied. The primary impact is the compromise of data confidentiality and the potential elevation of privilege to execute code on the server. This weakness is a classic file\u2011inclusion flaw, identified by CWE\u201198.", "risk_and_exploitability": "With a CVSS score of 8.1 the flaw is of high severity, yet the EPSS score of under 1% suggests it has not yet been widely exploited; it is also not listed in the CISA KEV catalog. The likely attack vector is local, requiring an attacker to trigger the vulnerable include via the theme\u2019s web interface, and there is no evidence this can be triggered remotely. The risk can be mitigated by applying the official patch or disabling the theme."}}}}, "created": "2026-03-25T21:44:44.992776+00:00", "updated": "2026-03-27T09:45:51.094574+00:00", "vendors": ["jwsthemes", "jwsthemes$PRODUCT$feedy", "wordpress", "wordpress$PRODUCT$wordpress"]}