CVE-2025-22509
Published: 08 January 2026
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-22509 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, known as PHP Remote File Inclusion, that enables PHP Local File Inclusion in the TMRW-studio Atlas WordPress theme. This flaw, tied to CWE-98, affects Atlas versions from n/a through 2.1.0 and was published on 2026-01-08.
The vulnerability can be exploited by unauthenticated attackers (PR:N) over the network (AV:N) without requiring user interaction (UI:N), though it demands high attack complexity (AC:H) and results in unchanged scope (S:U). Successful exploitation yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), earning a CVSS v3.1 base score of 8.1 and potentially allowing attackers to read or include arbitrary local files, leading to information disclosure or code execution.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Theme/atlas/vulnerability/wordpress-atlas-theme-2-1-0-local-file-inclusion-vulnerability?_s_id=cve provides details on this Local File Inclusion issue in the WordPress Atlas theme version 2.1.0, including mitigation guidance for affected deployments.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI in public-facing WordPress theme enables unauthenticated remote exploitation (T1190) and arbitrary local file reads for sensitive data disclosure (T1005).