CVE-2025-27015
Published: 26 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-27015 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, also known as PHP Remote File Inclusion, that enables PHP Local File Inclusion (CWE-98) in the Hostiko WordPress theme developed by designingmedia. This issue affects all versions of the Hostiko theme from n/a through those prior to 30.1.
The vulnerability can be exploited over the network (AV:N) by attackers with low privileges (PR:L), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with an overall CVSS 3.1 score of 7.5 and unchanged scope (S:U), potentially allowing attackers to include and execute arbitrary local PHP files.
Patchstack advisories indicate that the vulnerability is mitigated in Hostiko version 30.1, recommending that users update to this version or later to address the local file inclusion flaw. Additional details are available at https://patchstack.com/database/Wordpress/Theme/hostiko/vulnerability/wordpress-hostiko-theme-30-1-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI vulnerability in public-facing WordPress theme allows network-based exploitation to include/execute arbitrary local PHP files, directly mapping to T1190.