CVE-2025-60060

High

Published: 18 December 2025

Published

18 December 2025

Modified

20 January 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Pubzinne pubzinne allows PHP Local File Inclusion.This issue affects Pubzinne: from n/a through <= 1.0.12.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of user-supplied filenames prior to use in PHP include/require statements to prevent local file inclusion attacks.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of the specific LFI flaw in the Pubzinne WordPress theme up to version 1.0.12.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables vulnerability scanning to identify the PHP LFI vulnerability (CWE-98) in deployed WordPress themes like Pubzinne.

Security SummaryAI

CVE-2025-60060 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, affecting the Pubzinne WordPress theme developed by axiomthemes. All versions of Pubzinne from n/a through 1.0.12 are vulnerable, as disclosed on December 18, 2025, and mapped to CWE-98.

The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network by unauthenticated attackers without user interaction, though it demands high attack complexity. Attackers can achieve high impacts on confidentiality, integrity, and availability, potentially allowing local file disclosure or execution of arbitrary code through improper PHP include/require handling.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/pubzinne/vulnerability/wordpress-pubzinne-theme-1-0-12-local-file-inclusion-vulnerability?_s_id=cve details the local file inclusion flaw in Pubzinne version 1.0.12 for WordPress users.

Details

CWE(s): CWE-98

Affected Products

axiomthemes

pubzinne

≤ 1.0.12

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

LFI/RFI vulnerability in public-facing WordPress theme directly enables exploitation of public-facing application for initial access, file disclosure, and potential RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/pubzinne/vulnerability/wordpress-pubzinne-theme-1-0-12-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com