CVE-2025-58931
Published: 18 December 2025
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Palatio palatio allows PHP Local File Inclusion.This issue affects Palatio: from n/a through <= 1.6.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the improper filename control in PHP include/require by validating inputs to block malicious local file paths.
Enforces restrictions on filename inputs for PHP include/require statements, such as whitelisting allowed paths to prevent local file inclusion.
Remediates the specific LFI flaw in Palatio WordPress theme versions through n/a to <=1.6 by applying patches from advisories like Patchstack.
Security SummaryAI
CVE-2025-58931 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, also known as PHP Remote File Inclusion, that enables PHP Local File Inclusion in the axiomthemes Palatio WordPress theme. This issue affects Palatio versions from n/a through 1.6.
The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network by unauthenticated attackers with no user interaction required, though it demands high attack complexity. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, typically through local file inclusion to access or manipulate sensitive server files.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/palatio/vulnerability/wordpress-palatio-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a PHP Local File Inclusion (LFI) in a public-facing WordPress theme, directly enabling exploitation of a public-facing application.