CVE-2025-67980
Published: 20 February 2026
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-67980 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, affecting the Hara theme developed by thembay for WordPress. The issue impacts all versions of the Hara theme up to and including 1.2.17. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-98.
Attackers can exploit this vulnerability remotely over the network without requiring user privileges or interaction, though it demands high attack complexity. Successful exploitation allows arbitrary local file inclusion, potentially granting high-impact confidentiality, integrity, and availability compromises, such as reading sensitive files or executing arbitrary code if local PHP files are accessible.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/hara/vulnerability/wordpress-hara-theme-1-2-17-local-file-inclusion-vulnerability-2?_s_id=cve provides details on this WordPress Hara theme vulnerability, including recommended mitigations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The LFI vulnerability in the public-facing WordPress Hara theme enables exploitation of public-facing applications (T1190) and facilitates retrieval of data from the local system via arbitrary local file reads (T1005).