CVE-2025-60057

High

Published: 18 December 2025

Published

18 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DJ Rainflow dj-rainflow allows PHP Local File Inclusion.This issue affects DJ Rainflow: from n/a through <= 1.3.13.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates improper filename control in PHP include/require by requiring validation of user-supplied inputs to block local file inclusion paths.

SI-2 Flaw Remediation good match

prevent

Addresses the specific flaw in DJ Rainflow theme versions <=1.3.13 through timely identification, reporting, and remediation via patching.

CM-6 Configuration Settings partial match

prevent

Enforces secure configuration settings in PHP and WordPress environments to restrict dangerous file operations that enable local file inclusion.

Security SummaryAI

CVE-2025-60057 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, affecting the AncoraThemes DJ Rainflow WordPress theme (dj-rainflow). This flaw impacts all versions from n/a through 1.3.13 and was published on 2025-12-18. It is associated with CWE-98 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by unauthenticated attackers with network access, though it requires high attack complexity and no user interaction. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, potentially enabling local file inclusion to read sensitive files or, in PHP contexts, execute arbitrary code.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/dj-rainflow/vulnerability/wordpress-dj-rainflow-theme-1-3-13-local-file-inclusion-vulnerability?_s_id=cve.

Details

CWE(s): CWE-98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

CVE-2025-60057 is an LFI vulnerability in a public-facing WordPress theme exploitable remotely without privileges (T1190: Exploit Public-Facing Application). Successful exploitation directly enables reading and potential execution of local files (T1005: Data from Local System).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/dj-rainflow/vulnerability/wordpress-dj-rainflow-theme-1-3-13-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com