Cyber Posture

CVE-2025-68530

High

Published: 24 December 2025

Published
24 December 2025
Modified
27 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-68530 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Bookory WordPress theme developed by pavothemes. This issue affects Bookory versions from n/a through 2.2.7 and is associated with CWE-98. The vulnerability was published on 2025-12-24.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Low-privileged authenticated users (PR:L) can exploit it remotely over the network (AV:N) with high attack complexity (AC:H) and no user interaction required (UI:N). Successful exploitation results in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), potentially allowing attackers to include and execute local files.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/bookory/vulnerability/wordpress-bookory-theme-2-2-7-local-file-inclusion-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-98

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a critical unauthenticated remote Local File Inclusion (LFI) in a public-facing WordPress theme, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References