Cyber Posture

CVE-2025-58896

High

Published: 18 December 2025

Published
18 December 2025
Modified
27 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Otaku otaku allows PHP Local File Inclusion.This issue affects Otaku: from n/a through <= 1.8.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates the improper filename control in PHP include/require by validating user-supplied inputs to prevent local file inclusion attacks.

SI-2 Flaw Remediation good match
prevent

Ensures timely identification, reporting, and patching of the specific LFI vulnerability in the Otaku WordPress theme versions through 1.8.0.

CM-6 Configuration Settings partial match
prevent

Enforces secure PHP and web server configuration settings, such as open_basedir restrictions, to limit the scope of potential file inclusions.

Security SummaryAI

CVE-2025-58896 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion, affecting the AncoraThemes Otaku WordPress theme. This flaw impacts all versions of Otaku from n/a through 1.8.0. Published on 2025-12-18, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-98.

The vulnerability can be exploited by unauthenticated attackers over the network, requiring no user interaction but high attack complexity. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing attackers to perform local file inclusion, potentially resulting in arbitrary file reads, sensitive data exposure, or remote code execution depending on server configuration.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/otaku/vulnerability/wordpress-otaku-theme-1-8-0-local-file-inclusion-vulnerability?_s_id=cve, which covers the Local File Inclusion vulnerability in the Otaku WordPress theme version 1.8.0.

Details

CWE(s)
CWE-98

Affected Products

ancorathemes
otaku
≤ 1.8.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
Why these techniques?

Public-facing WordPress theme vulnerability enables unauthenticated remote exploitation (T1190) via improper filename control in PHP include/require, facilitating local file inclusion for arbitrary file reads from the local system (T1005) and file/directory discovery (T1083).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References