{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25379", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:01.429Z", "datePublished": "2026-03-25T16:14:46.711Z", "dateUpdated": "2026-03-25T16:14:46.711Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "streamvid", "product": "StreamVid", "vendor": "jwsthemes", "versions": [{"changes": [{"at": "6.8.6", "status": "unaffected"}], "lessThanOrEqual": "< 6.8.6", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:27.028Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes StreamVid streamvid allows PHP Local File Inclusion.<p>This issue affects StreamVid: from n/a through < 6.8.6.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes StreamVid streamvid allows PHP Local File Inclusion.This issue affects StreamVid: from n/a through < 6.8.6."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:46.711Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/streamvid/vulnerability/wordpress-streamvid-theme-6-8-6-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress StreamVid theme < 6.8.6 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes StreamVid streamvid allows PHP Local File Inclusion.This issue affects StreamVid: from n/a through < 6.8.6."}], "id": "CVE-2026-25379", "lastModified": "2026-03-25T17:16:48.250", "metrics": {}, "published": "2026-03-25T17:16:48.250", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/streamvid/vulnerability/wordpress-streamvid-theme-6-8-6-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:58:10.166406+00:00", "value": {"mitigation_remediation": ["Upgrade the StreamVid theme to version 6.8.6 or later.", "If an update cannot be applied immediately, disable the theme and remove the plugin files from the server.", "Ensure that any inclusion paths in the theme code use canonicalized, validated file names and restrict access to sensitive directories."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The StreamVid theme by jwsthemes, versions earlier than 6.8.6, are affected. No specific patch version is listed beyond 6.8.6, so any deployment of the theme at a version lower than 6.8.6 is vulnerable.", "description_and_impact": "The vulnerability arises from improper control of the filename used in PHP include/require statements within the StreamVid theme. An attacker can craft a request that forces the theme to include a local file, allowing read access to sensitive files and, if PHP code is executed, remote code execution. This issue falls under CWE\u201198 and can compromise confidentiality, integrity, and availability of the affected WordPress site.", "risk_and_exploitability": "No EPSS score is provided and the vulnerability is not listed in the KEV catalog, but the nature of a local file inclusion is widely recognized as highly exploitable by unauthenticated users who can manipulate URLs or form inputs. The absence of a patch for affected versions means that an attacker with internet visibility can trigger the flaw easily, making the risk high until the theme is updated to 6.8.6 or later."}}}}, "created": "2026-03-25T21:44:45.899324+00:00", "updated": "2026-03-25T21:44:45.899351+00:00", "vendors": []}