CVE-2025-68543
Published: 20 February 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-68543 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, known as PHP Remote File Inclusion, that enables PHP Local File Inclusion in the Diza WordPress theme developed by thembay. This issue affects Diza versions from n/a through 1.3.15. It is associated with CWE-98 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to significant impacts on confidentiality, integrity, and availability.
The vulnerability can be exploited by unauthenticated remote attackers over the network, requiring high attack complexity but no user interaction or privileges. Attackers can manipulate filename controls in PHP include/require statements to achieve local file inclusion, potentially leading to unauthorized access to sensitive local files, code execution, or system compromise depending on the included files and server configuration.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/diza/vulnerability/wordpress-diza-theme-1-3-15-local-file-inclusion-vulnerability-2?_s_id=cve, which documents the vulnerability in the Diza theme up to version 1.3.15.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a local file inclusion (LFI) in a public-facing WordPress theme, directly enabling exploitation of a public-facing application via remote code execution on the server.