Cyber Posture

CVE-2025-62010

High

Published: 06 November 2025

Published
06 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 28.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

Security Summary

CVE-2025-62010 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, known as PHP Remote File Inclusion, that enables PHP Local File Inclusion in the ApusTheme Famita WordPress theme. This issue affects Famita versions from n/a through 1.54 and is associated with CWE-98. The vulnerability was published on 2025-11-06 with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction, though it requires high attack complexity. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, potentially through local file inclusion leading to unauthorized file access or execution.

Mitigation details are provided in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/famita/vulnerability/wordpress-famita-theme-1-54-local-file-inclusion-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-98

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Public-facing WordPress theme LFI vulnerability enables exploitation of public-facing applications (T1190), reading sensitive local files including credentials (T1005, T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References