CVE-2025-39466
Published: 06 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-39466 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue, in the Mikado-Themes Dør WordPress theme. It enables PHP Local File Inclusion and affects Dør versions from n/a through 2.4. The vulnerability corresponds to CWE-98 and was published on 2025-11-06.
The attack vector is network-based (AV:N), with high attack complexity (AC:H), requiring no privileges (PR:N) or user interaction (UI:N), and no change in scope (S:U). A remote unauthenticated attacker can exploit it to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), resulting in a CVSS v3.1 base score of 8.1.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/dor/vulnerability/wordpress-doer-2-4-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an unauthenticated remote file inclusion (LFI/RFI) in a public-facing WordPress theme, directly enabling exploitation of public-facing applications for high-impact compromise (C/I/A).