CVE-2025-60199

CVE-2025-60199 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion, within the dedalx InHype Blog & Magazine WordPress Theme (inhype). It enables PHP Local File Inclusion and affects the theme from its initial release (n/a) through version 1.5.2. The issue is mapped to CWE-98 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility and significant impacts on confidentiality, integrity, and availability.

Unauthenticated remote attackers (PR:N) can exploit this vulnerability over the network (AV:N) without requiring user interaction (UI:N), though it demands high attack complexity (AC:H). Successful exploitation allows attackers to achieve high-level impacts, including unauthorized access to sensitive data (C:H), modification of system resources (I:H), and disruption of services (A:H), all within an unchanged security scope (S:U).

Advisories, including the Patchstack database entry (https://patchstack.com/database/Wordpress/Theme/inhype/vulnerability/wordpress-inhype-blog-magazine-wordpress-theme-theme-1-5-2-local-file-inclusion-vulnerability?_s_id=cve), document the vulnerability and provide details on affected versions for mitigation guidance.