CVE-2025-52729
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Diza WordPress theme <=1.3.9 has a local file inclusion vulnerability allowing attackers to read sensitive files.
Vulnerability
Description The Diza WordPress theme versions up to and including 1.3.9 suffer from a PHP Local File Inclusion (LFI) vulnerability due to improper control of filenames in include/require statements. This allows an attacker to include arbitrary local files from the server, potentially exposing sensitive information.
Exploitation
Attackers can exploit this vulnerability by crafting a malicious request that includes a path to a local file. No authentication is required, and the attack can be performed remotely. The vulnerability is considered highly dangerous and is expected to be mass-exploited due to its ease of use and the prevalence of the theme [1].
Impact
Successful exploitation could allow an attacker to read local files, such as configuration files containing database credentials. This could lead to complete database compromise depending on the server configuration [1].
Mitigation
The vendor has released a patched version 1.3.11. Users are strongly advised to update immediately. For those who cannot update, implementing a web application firewall (WAF) rule or using a security plugin with virtual patching can provide temporary protection [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.