CVE-2025-67526
Published: 09 December 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-67526 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion (CWE-98), affecting the Sailing WordPress theme developed by ThimPress. The vulnerability impacts all versions of the Sailing theme prior to 4.4.6, with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Low-privileged authenticated users (PR:L) can exploit this vulnerability over the network (AV:N) with high attack complexity (AC:H) and no user interaction required (UI:N). Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability (C:I:A:H), potentially enabling local file inclusion to read sensitive files or execute arbitrary code if local PHP files are accessible.
Patchstack advisories recommend updating the Sailing WordPress theme to version 4.4.6 or later to mitigate this local file inclusion vulnerability, as detailed in their database entry.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an unauthenticated Local File Inclusion (LFI) in a public-facing WordPress theme, directly enabling exploitation of a public-facing application for remote code execution.