CVE-2025-58944

High

Published: 18 December 2025

Published

18 December 2025

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Manufactory manufactory allows PHP Local File Inclusion.This issue affects Manufactory: from n/a through <= 1.4.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and patching of the PHP local file inclusion flaw in the vulnerable Manufactory WordPress theme.

SI-10 Information Input Validation good match

prevent

Prevents exploitation by enforcing validation of user-supplied filenames prior to their use in PHP include/require statements, blocking malicious local file paths.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables detection of the PHP LFI vulnerability in the Manufactory theme through ongoing vulnerability scanning of web applications and components.

Security SummaryAI

CVE-2025-58944 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Manufactory WordPress theme developed by axiomthemes. This issue affects Manufactory versions from n/a through 1.4 inclusive. It is associated with CWE-98 and carries a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility and significant impacts on confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction, though it requires high attack complexity. Exploitation allows local file inclusion, potentially enabling attackers to read sensitive files, execute arbitrary code if PHP files are included, or disrupt system availability.

The Patchstack advisory provides further details on this WordPress Manufactory theme vulnerability, available at https://patchstack.com/database/Wordpress/Theme/manufactory/vulnerability/wordpress-manufactory-theme-1-4-local-file-inclusion-vulnerability?_s_id=cve.

Details

CWE(s): CWE-98

Affected Products

axiomthemes

manufactory

≤ 1.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote exploitation of a public-facing WordPress theme via LFI (T1190), enabling reading of sensitive local files (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/manufactory/vulnerability/wordpress-manufactory-theme-1-4-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com