CVE-2025-59555
Published: 22 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-59555 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, affecting the ThemeMove Medizin WordPress theme. The issue impacts all versions of Medizin from n/a through those prior to 1.9.7. Published on 2025-10-22, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-98.
Attackers can exploit this vulnerability over the network with no required privileges or user interaction, though it demands high attack complexity. Successful exploitation allows high-impact confidentiality, integrity, and availability violations, potentially enabling arbitrary file inclusion and execution of local files on the server.
The Patchstack advisory for this vulnerability in the WordPress Medizin theme recommends updating to version 1.9.7 or later, where the local file inclusion issue has been addressed.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a PHP Local File Inclusion (LFI) in a public-facing WordPress theme, enabling remote exploitation for arbitrary file inclusion and execution, directly mapping to Exploit Public-Facing Application (T1190).