CVE-2025-68984
Published: 30 December 2025
Description
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Security Summary
CVE-2025-68984 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98), affecting the Puca WordPress theme developed by thembay. The issue impacts all versions of Puca up to and including 2.6.39. It carries a CVSS v3.1 base score of 7.5 (High), with vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility but high attack complexity and a requirement for low privileges.
An attacker with low-privileged access, such as an authenticated WordPress user, can exploit this over the network by manipulating filename controls in PHP include/require statements. Successful exploitation allows high-impact confidentiality, integrity, and availability violations, potentially enabling local file disclosure or inclusion that could lead to further compromise depending on server configuration.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/puca/vulnerability/wordpress-puca-theme-2-6-39-local-file-inclusion-vulnerability?_s_id=cve provides details on the vulnerability in the Puca theme version 2.6.39, including recommended mitigations such as updating to a patched version where available.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI in public-facing WordPress theme enables public-facing app exploitation (T1190), reading local files for data collection (T1005), and accessing credentials in files like wp-config.php (T1552.001).