CVE-2025-67531
Published: 09 December 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-67531 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Local File Inclusion (LFI) issue under CWE-98, affecting the Turitor WordPress theme developed by trippleS. The vulnerability impacts all versions of Turitor from n/a through less than 1.5.3. It was published on 2025-12-09 with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Attackers can exploit this vulnerability over the network with low privileges required, though it demands high attack complexity and no user interaction. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, enabling local file inclusion that could lead to unauthorized access to sensitive files or further system compromise depending on the included files.
The Patchstack advisory for the Turitor WordPress theme documents this local file inclusion vulnerability and associates mitigation with version 1.5.3, which resolves the issue in affected installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a critical remote file inclusion flaw in a public-facing WordPress theme, enabling unauthenticated attackers to achieve arbitrary code execution and full site compromise via exploitation of a public-facing application.