CVE-2025-62067
Published: 06 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-62067 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion (CWE-98), affecting the Elated-Themes Savory WordPress theme. This issue impacts Savory versions from n/a through 2.5 inclusive. The vulnerability was published on 2025-11-06 and carries a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated attacker can exploit this vulnerability over the network, though it requires high attack complexity and no user interaction. Successful exploitation enables high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary file inclusion as per the CWE-98 classification.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/savory/vulnerability/wordpress-savory-theme-2-5-local-file-inclusion-vulnerability?_s_id=cve) documents the issue specifically in Savory theme version 2.5, recommending mitigation through updating to a version beyond 2.5 where the vulnerability is addressed.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a Local File Inclusion (LFI) in a public-facing WordPress theme, enabling unauthenticated remote exploitation of a web application, directly mapping to T1190: Exploit Public-Facing Application.