CVE-2025-67981
Published: 20 February 2026
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-67981 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, known as PHP Remote File Inclusion, that enables PHP Local File Inclusion in the thembay Besa WordPress theme. This flaw affects Besa versions from n/a through 2.3.15 inclusive and is associated with CWE-98. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
An unauthenticated attacker can exploit this vulnerability over the network with high attack complexity and without requiring user interaction. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, such as including and executing local PHP files on the server, potentially leading to arbitrary code execution or data exposure.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/besa/vulnerability/wordpress-besa-theme-2-3-15-local-file-inclusion-vulnerability-2?_s_id=cve documents this Local File Inclusion issue specifically in Besa theme version 2.3.15. Mitigation involves updating to a version beyond 2.3.15 if available, alongside standard WordPress theme hardening practices like restricting file permissions and monitoring for anomalous include operations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote LFI vulnerability in public-facing WordPress theme directly enables T1190 (Exploit Public-Facing Application) for initial access and facilitates T1005 (Data from Local System) by allowing inclusion and execution of arbitrary local PHP files.