Cyber Resilience

CVE-2025-26735

High

Published: 19 May 2025

Published
19 May 2025
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0106 78.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26735 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 21.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-26735 is a PHP Remote File Inclusion vulnerability (CWE-98) affecting the Grip WordPress theme by Candid themes. The flaw stems from improper control of filenames in include/require statements and impacts all versions through 1.0.9.

An unauthenticated remote attacker can exploit the issue over the network by supplying a crafted filename, provided a user performs a specific action that triggers the vulnerable code path. Successful exploitation grants the attacker the ability to include arbitrary files, resulting in high impacts to confidentiality, integrity, and availability.

The sole advisory reference from PatchStack identifies the issue as a local file inclusion vulnerability in the Grip theme up to version 1.0.9 and points to a database entry for further details on the affected component.

EPSS remains low and unchanged at 0.0106 with no observable rise after disclosure.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Candid themes Grip.This issue affects Grip: from n/a through 1.0.9.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References