CVE-2025-22712
Published: 08 January 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-22712 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, described as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98), in the QantumThemes Typify WordPress theme. This issue affects Typify versions from n/a through <= 3.0.2. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-08T10:15:47.727.
Unauthenticated attackers can exploit this vulnerability remotely over the network, requiring high attack complexity but no privileges or user interaction. Exploitation allows high-impact compromises to confidentiality, integrity, and availability, enabling local file inclusion on the affected server.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/typify/vulnerability/wordpress-typify-theme-3-0-2-local-file-inclusion-vulnerability?_s_id=cve details this local file inclusion vulnerability in the Typify WordPress theme version 3.0.2. Security practitioners should review it for recommended mitigations and patches.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote file inclusion (RFI/LFI) in a public-facing WordPress theme, directly enabling exploitation of a public-facing web application for initial access, data exposure, or code execution.