CVE-2025-67529
Published: 09 December 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-67529 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, known as PHP Remote File Inclusion, present in the Opal_WP Fashion fashion2 WordPress theme. It enables PHP Local File Inclusion and affects all versions from n/a through those prior to 5.3.0. The issue is mapped to CWE-98 and was published on 2025-12-09.
The vulnerability carries a CVSS v3.1 base score of 7.5 (High), with the attack vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. Attackers with network access, capable of high-complexity exploitation, and possessing low privileges can target it without user interaction. Successful exploitation leads to high impacts on confidentiality, integrity, and availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/fashion2/vulnerability/wordpress-fashion-theme-5-3-0-local-file-inclusion-vulnerability?_s_id=cve details the local file inclusion vulnerability in the fashion2 theme and indicates that updating to version 5.3.0 addresses the issue.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a critical remote file inclusion flaw in a public-facing WordPress theme, directly enabling exploitation of public-facing applications (T1190) and arbitrary local file disclosure (T1005), with potential for RCE depending on configuration.