Skip to main content

CVE-2025-28990: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in snstheme SNS Vicky

High
VulnerabilityCVE-2025-28990cvecve-2025-28990cwe-98
Published: Fri Jun 27 2025 (06/27/2025, 11:52:41 UTC)
Source: CVE Database V5
Vendor/Project: snstheme
Product: SNS Vicky

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme SNS Vicky allows PHP Local File Inclusion. This issue affects SNS Vicky: from n/a through 3.7.

AI-Powered Analysis

AILast updated: 06/27/2025, 12:45:56 UTC

Technical Analysis

CVE-2025-28990 is a high-severity vulnerability classified under CWE-98, which involves improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the SNS Vicky theme developed by snstheme, versions up to 3.7. The flaw allows an attacker to perform a PHP Local File Inclusion (LFI) attack by manipulating the filename parameter that is included or required by the PHP application. This can lead to the inclusion and execution of arbitrary files on the server, potentially exposing sensitive information, executing malicious code, or causing denial of service. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, but it has a high attack complexity, meaning some conditions must be met for successful exploitation. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the nature of PHP file inclusion flaws, which are commonly leveraged for web server compromise and lateral movement within networks. The absence of available patches at the time of publication increases the urgency for mitigation.

Potential Impact

For European organizations using the SNS Vicky theme, particularly those running websites or web applications on PHP platforms, this vulnerability could lead to severe consequences. Successful exploitation could result in unauthorized disclosure of sensitive data, including configuration files, credentials, or customer information, violating GDPR and other data protection regulations. Integrity of web content and backend systems could be compromised, enabling attackers to inject malicious scripts or backdoors, facilitating persistent access or further attacks. Availability could also be impacted if attackers leverage the vulnerability to disrupt services or crash the web server. Given the high connectivity and reliance on web services in European businesses, especially in sectors like e-commerce, finance, and public administration, the threat could cause reputational damage, regulatory penalties, and financial losses. The vulnerability's remote exploitability without authentication increases the risk of automated scanning and exploitation attempts by threat actors targeting European infrastructure.

Mitigation Recommendations

Organizations should immediately audit their web applications to identify any use of the SNS Vicky theme, particularly versions up to 3.7. If detected, they should consider disabling or removing the theme until a vendor patch or update is released. In the absence of official patches, applying virtual patching via Web Application Firewalls (WAFs) to block suspicious requests attempting to manipulate include parameters is recommended. Developers should review and harden PHP code by validating and sanitizing all user inputs used in include or require statements, employing whitelisting of allowed filenames, and avoiding dynamic inclusion of files based on user input. Implementing least privilege principles on the web server file system can limit the impact by restricting accessible files. Monitoring web server logs for unusual access patterns or error messages related to file inclusion attempts can help detect exploitation attempts early. Additionally, organizations should keep abreast of vendor advisories for official patches and apply them promptly once available.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-03-11T08:10:44.966Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 685e88edca1063fb875de4a0

Added to database: 6/27/2025, 12:05:01 PM

Last enriched: 6/27/2025, 12:45:56 PM

Last updated: 8/1/2025, 4:27:27 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats