Cyber Posture

CVE-2025-58936

High

Published: 18 December 2025

Published
18 December 2025
Modified
27 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Catamaran catamaran allows PHP Local File Inclusion.This issue affects Catamaran: from n/a through <= 1.15.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of user-supplied filenames in PHP include/require statements, directly preventing local file inclusion by rejecting invalid or malicious paths.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of flaws like this PHP file inclusion vulnerability through timely patching of the Catamaran theme.

SI-9 Information Input Restrictions good match
prevent

Enforces restrictions such as whitelisting permitted filenames or blocking path traversal sequences in file inclusion parameters to block exploitation.

Security SummaryAI

CVE-2025-58936 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion, affecting the Catamaran WordPress theme developed by axiomthemes. This flaw impacts all versions of the Catamaran theme from n/a through 1.15 inclusive. It is associated with CWE-98 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its high severity due to potential for significant impacts across confidentiality, integrity, and availability.

The vulnerability can be exploited over the network by unauthenticated attackers requiring no privileges or user interaction, though it demands high attack complexity. Successful exploitation allows attackers to perform local file inclusion, potentially leading to arbitrary file reads, server-side code execution, or other severe compromises depending on the included files and server configuration.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/catamaran/vulnerability/wordpress-catamaran-theme-1-15-local-file-inclusion-vulnerability?_s_id=cve, which documents this Local File Inclusion vulnerability in the WordPress Catamaran theme version 1.15. Security practitioners should update to a patched version if available or apply compensating controls such as input validation on file inclusion parameters.

Details

CWE(s)
CWE-98

Affected Products

axiomthemes
catamaran
≤ 1.15

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

The vulnerability is a public-facing WordPress theme LFI flaw (T1190: Exploit Public-Facing Application) enabling arbitrary local file reads (T1005: Data from Local System) and potential server-side code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References