CVE-2025-62029
Published: 22 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-62029 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion (CWE-98), affecting the Grevo WordPress theme by Themeision. This issue impacts Grevo versions from n/a through 2.4 inclusive, with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to significant impacts on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network without requiring user interaction, though exploitation demands high attack complexity. Successful attacks could allow attackers to include and execute arbitrary remote files, potentially leading to full server compromise given the high impact ratings across all security principles.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/grevo/vulnerability/wordpress-grevo-theme-2-4-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote file inclusion (RFI) in a public-facing WordPress theme, directly enabling exploitation of a public-facing application for remote code execution.