CVE-2025-58955
Published: 22 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-58955 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified under CWE-98 and labeled as PHP Remote File Inclusion, which enables PHP Local File Inclusion in the Karzo WordPress theme developed by designervily. The issue affects Karzo versions from n/a through those prior to 2.6.
Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) with high attack complexity (AC:H) and without requiring user interaction (UI:N). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS 3.1 base score of 8.1, with scope unchanged (S:U).
The Patchstack advisory details this as a Local File Inclusion vulnerability in the WordPress Karzo theme, addressed in version 2.6. Security practitioners should urge users to update to Karzo 2.6 or later to mitigate the issue.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a PHP Local File Inclusion (LFI) in a public-facing WordPress theme, directly enabling exploitation of a public-facing web application (T1190) to access sensitive local files.