CVE-2025-67941

High

Published: 22 January 2026

Published

22 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 38.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle theaisle allows PHP Local File Inclusion.This issue affects The Aisle: from n/a through < 2.9.1.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely remediation of the PHP Local File Inclusion flaw through updating the vulnerable WordPress theme to version 2.9.1 or later.

SI-10 Information Input Validation good match

prevent

Prevents exploitation by enforcing validation of filenames passed to PHP include/require statements, blocking arbitrary local file inclusion via manipulated inputs.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables identification of the vulnerable theme version through vulnerability scanning, facilitating proactive patching before exploitation.

Security SummaryAI

CVE-2025-67941 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Elated-Themes "The Aisle" WordPress theme. This issue affects all versions of The Aisle from n/a through less than 2.9.1. It is associated with CWE-98 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility and significant impacts.

Unauthenticated remote attackers can exploit this vulnerability over the network without requiring user interaction, though exploitation demands high attack complexity. Successful attacks enable high-level compromise of confidentiality, integrity, and availability, potentially allowing attackers to include and execute arbitrary local files on the server via manipulated PHP include/require statements.

The Patchstack advisory details this as a Local File Inclusion vulnerability in the WordPress "The Aisle" theme and confirms mitigation through updating to version 2.9.1 or later, where the issue is addressed.

Details

CWE(s): CWE-98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of Local File Inclusion in a public-facing WordPress theme directly enables T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/theaisle/vulnerability/wordpress-the-aisle-theme-2-9-1-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com