CVE-2025-67920

High

Published: 08 January 2026

Published

08 January 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 38.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Neo Ocular neoocular allows PHP Local File Inclusion.This issue affects Neo Ocular: from n/a through < 1.2.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2025-67920 by requiring timely remediation through updating the vulnerable Neo Ocular WordPress theme to version 1.2 or later.

SI-10 Information Input Validation good match

prevent

Addresses the core issue of improper filename control in PHP include/require statements by enforcing validation of inputs to block local file inclusion exploitation.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables proactive identification of vulnerabilities like this PHP LFI in the Neo Ocular theme through regular scanning and monitoring.

Security SummaryAI

CVE-2025-67920 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, also known as PHP Remote File Inclusion, in the Elated-Themes Neo Ocular WordPress theme (neoocular). It enables PHP Local File Inclusion and affects all versions from n/a through those prior to 1.2. The vulnerability is associated with CWE-98 and carries a CVSS v3.1 base score of 8.1 (High), with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.

Remote unauthenticated attackers can exploit this vulnerability over the network without user interaction, though it requires high attack complexity. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, potentially enabling them to include and execute arbitrary local PHP files on the server.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/neoocular/vulnerability/wordpress-neo-ocular-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve details the vulnerability in the Neo Ocular WordPress theme, implying mitigation through updating to version 1.2 or later, as prior versions are affected.

Details

CWE(s): CWE-98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an unauthenticated remote code execution via local file inclusion in a public-facing WordPress theme, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/neoocular/vulnerability/wordpress-neo-ocular-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com