CVE-2025-68540
Published: 24 December 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-68540 is an Improper Control of Filename for Include/Require Statement vulnerability, referred to as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the thembay Fana WordPress theme. This issue affects Fana versions from n/a through 1.1.35 and is associated with CWE-98. The vulnerability was published on 2025-12-24.
Attackers with low privileges (PR:L) can exploit this over the network (AV:N) with high attack complexity (AC:H) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS v3.1 base score is 7.5 with unchanged scope (S:U). Successful exploitation allows local file inclusion, potentially enabling attackers to read sensitive files or execute arbitrary code depending on server configuration.
The Patchstack advisory documents this as a Local File Inclusion vulnerability in the WordPress Fana theme up to version 1.1.35, recommending mitigation through updating to a patched version.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote exploitation of a public-facing WordPress theme via PHP Local File Inclusion enables remote code execution or sensitive file disclosure, directly mapping to T1190: Exploit Public-Facing Application.