CVE-2025-58934

High

Published: 18 December 2025

Published

18 December 2025

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes The Gig thegig allows PHP Local File Inclusion.This issue affects The Gig: from n/a through <= 1.18.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely patching and remediation of the specific PHP Local File Inclusion flaw in the vulnerable WordPress theme versions up to 1.18.0.

SI-10 Information Input Validation good match

prevent

Requires validation of information inputs such as filenames supplied to PHP include/require statements to block exploitation of the improper filename control vulnerability.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning to identify the presence of CVE-2025-58934 in installed WordPress themes, facilitating proactive remediation.

Security SummaryAI

CVE-2025-58934 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the axiomthemes The Gig (thegig) WordPress theme. This issue affects The Gig theme versions from n/a through 1.18.0 and is associated with CWE-98. The vulnerability was published on 2025-12-18.

Remote unauthenticated attackers (PR:N) can exploit this vulnerability over the network (AV:N) with high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation results in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 8.1 in an unchanged scope (S:U).

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/thegig/vulnerability/wordpress-the-gig-theme-1-18-0-local-file-inclusion-vulnerability?_s_id=cve details this WordPress theme vulnerability and should be consulted for mitigation and patching guidance.

Details

CWE(s): CWE-98

Affected Products

axiomthemes

the gig

≤ 1.18.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

LFI vulnerability in public-facing WordPress theme enables exploitation of public-facing application (T1190) and reading arbitrary local files for data collection (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/thegig/vulnerability/wordpress-the-gig-theme-1-18-0-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com