CVE-2025-67527
Published: 09 December 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-67527 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Local File Inclusion issue (CWE-98), affecting the Digiqole WordPress theme developed by trippleS. The flaw enables local file inclusion through inadequate validation of filenames in PHP include/require statements. It impacts all versions of the Digiqole theme prior to 2.2.7, with the vulnerability published on 2025-12-09 and assigned a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges, such as an authenticated WordPress user, can exploit this vulnerability over the network with high attack complexity and no user interaction required. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially enabling arbitrary local file inclusion to read sensitive server files, modify data, or disrupt services.
The Patchstack advisory references indicate that the vulnerability is fixed in Digiqole theme version 2.2.7, recommending that users update to this version or later to mitigate the issue.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote file inclusion (RFI/LFI) vulnerability in public-facing WordPress theme enables exploitation of public-facing application for sensitive file disclosure or RCE.