How to fix CVE-2025-28991?

Within 24 hours: Identify all systems running snstheme Evon and assess exposure. Within 7 days: Implement WAF rules to block suspicious file inclusion patterns and disable the vulnerable theme if not business-critical. Within 30 days: Upgrade to a patched version or migrate to an alternative theme; verify no unauthorized file access occurred through log review.

Is PHP affected by CVE-2025-28991?

A critical file inclusion vulnerability in snstheme Evon (versions 3.4 and below) allows attackers to access sensitive local files on affected web servers.

PHP CVE-2025-28991

EUVD-2025-18520 HIGH

PHP Remote File Inclusion (CWE-98)

2025-06-17 [email protected]

PHP Information Disclosure

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 22:15 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 22:15 euvd

EUVD-2025-18520

CVE Published

Jun 17, 2025 - 15:15 nvd

HIGH 8.1

DescriptionNVD

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Evon allows PHP Local File Inclusion. This issue affects Evon: from n/a through 3.4.

AnalysisAI

PHP Local File Inclusion (LFI) vulnerability in the snstheme Evon WordPress theme (versions up to 3.4) that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. An attacker can exploit this via a network attack with high complexity to achieve arbitrary code execution, data exfiltration, and system compromise. The vulnerability stems from improper input validation on filename parameters passed to PHP include/require statements.

Technical ContextAI

This vulnerability exploits CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), a classic PHP security flaw where user-controlled input is passed unsanitized to PHP's include(), require(), include_once(), or require_once() functions. The snstheme Evon theme (CPE likely: cpe:2.3:a:snstheme:evon:*:*:*:*:*:wordpress:*:*) fails to properly sanitize or whitelist filename parameters, allowing attackers to manipulate file paths. Unlike Remote File Inclusion (RFI), this LFI variant is restricted to local files already present on the server, but an attacker can still leverage this to read sensitive configuration files (wp-config.php, database credentials, /etc/passwd), abuse PHP wrappers (php://filter, php://input), or chain with file upload vulnerabilities to achieve code execution.

RemediationAI

Immediate action: Evon theme users should update to version 3.5 or later (assumed available post-disclosure). If a patched version is not immediately available, consider: (1) Disable or uninstall the Evon theme temporarily and switch to an alternative theme. (2) Implement Web Application Firewall (WAF) rules to block suspicious include/require parameter patterns. (3) Harden PHP configuration by disabling allow_url_include and allow_url_fopen if not required. (4) Implement strict input validation on all user-supplied parameters with whitelist-based filename checks. (5) Monitor access logs for suspicious file inclusion attempts (patterns like '../', 'php://', 'file://'). (6) Apply WordPress security hardening (disable file editing, restrict database access). Vendor patch information should be obtained from the official snstheme website or WordPress theme repository. No CVE patch details are provided in the description; consult vendor advisories directly.

CVE-2025-28991 vulnerability details – vuln.today

Back

PHP CVE-2025-28991

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code