CVE-2025-60048

High

Published: 18 December 2025

Published

18 December 2025

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Tripster tripster allows PHP Local File Inclusion.This issue affects Tripster: from n/a through <= 1.0.10.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely patching of the vulnerable Tripster theme to correct the improper filename control in PHP include/require statements.

SI-10 Information Input Validation good match

prevent

Information input validation directly counters the PHP Local File Inclusion by ensuring filenames for include/require are properly validated and sanitized against path traversal.

AC-6 Least Privilege partial match

prevent

Least privilege limits the web server's access to sensitive files, reducing the impact of successful LFI exploitation even if input validation fails.

Security SummaryAI

CVE-2025-60048 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, also known as PHP Remote File Inclusion (CWE-98), that enables PHP Local File Inclusion in the Tripster WordPress theme developed by axiomthemes. This flaw affects Tripster versions from n/a through 1.0.10 and was published on 2025-12-18.

The vulnerability carries a CVSS v3.1 base score of 8.1 (High), with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating exploitation over the network with high attack complexity but no privileges or user interaction required. Remote unauthenticated attackers can leverage this to achieve high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary local file reads via manipulated include/require statements.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Theme/tripster/vulnerability/wordpress-tripster-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve documents the Local File Inclusion issue specifically in Tripster version 1.0.10 and provides details on associated mitigations for WordPress environments.

Details

CWE(s): CWE-98

Affected Products

axiomthemes

tripster

≤ 1.0.10

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

The vulnerability is a public-facing WordPress theme flaw (T1190) enabling local file inclusion for arbitrary local file reads (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/tripster/vulnerability/wordpress-tripster-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com