CVE-2025-58949

High

Published: 18 December 2025

Published

18 December 2025

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Spock spock allows PHP Local File Inclusion.This issue affects Spock: from n/a through <= 1.17.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Flaw remediation directly mitigates CVE-2025-58949 by applying patches or updates to the vulnerable Spock WordPress theme versions through 1.17.

SI-10 Information Input Validation good match

prevent

Information input validation addresses the improper filename control in PHP include/require statements, preventing local file inclusion exploitation.

CM-6 Configuration Settings partial match

prevent

Secure configuration settings for PHP, such as open_basedir restrictions, limit the file access scope exploitable by this LFI vulnerability.

Security SummaryAI

CVE-2025-58949 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue but enabling PHP Local File Inclusion, in the Spock WordPress theme developed by axiomthemes. This flaw affects all versions of the Spock theme from n/a through 1.17 inclusive. It is associated with CWE-98 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility and significant impacts.

Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) without user interaction (UI:N), though it requires high attack complexity (AC:H). Successful exploitation allows local file inclusion, potentially granting high-level access to confidential data (C:H), modification of system integrity (I:H), and disruption of availability (A:H) within the scope of the affected WordPress theme (S:U).

The primary advisory is available from Patchstack, detailing the Local File Inclusion vulnerability specifically in WordPress Spock theme version 1.17. Security practitioners should consult this reference for mitigation guidance, such as applying available patches or theme updates.

Details

CWE(s): CWE-98

Affected Products

axiomthemes

spock

≤ 1.17

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

The vulnerability is a Local File Inclusion (LFI) in a public-facing WordPress theme, directly exploited via T1190 (Exploit Public-Facing Application). LFI enables reading arbitrary local files, facilitating T1005 (Data from Local System).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/spock/vulnerability/wordpress-spock-theme-1-17-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com