CVE-2025-58995
Published: 06 November 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-58995 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Leblix WordPress theme developed by Creatives_Planet. The issue affects Leblix versions from n/a through 2.4, as documented with CWE-98 and published on 2025-11-06.
The vulnerability carries a CVSS 3.1 score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation is possible over the network by unauthenticated attackers with no user interaction required, though it demands high attack complexity. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing attackers to include and execute local files on the server.
Mitigation guidance is available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/leblix/vulnerability/wordpress-leblix-theme-2-4-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE-2025-58995 is a public-facing WordPress theme vulnerability exploitable remotely by unauthenticated attackers (T1190). It enables Local File Inclusion, allowing attackers to include and execute arbitrary local files, facilitating collection of data from the local system (T1005).