CVE-2025-68987

CVE-2025-68987 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, described as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Edge-Themes Cinerama WordPress theme. This issue affects Cinerama versions from n/a through 2.9 and is associated with CWE-98. The vulnerability was published on 2025-12-30T11:15:57.330 with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

Low-privileged authenticated users (PR:L) can exploit this vulnerability over the network (AV:N) with high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) through local file inclusion, potentially enabling unauthorized access to local files on the server.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/cinerama/vulnerability/wordpress-cinerama-a-wordpress-theme-for-movie-studios-and-filmmakers-theme-2-4-local-file-inclusion-vulnerability?_s_id=cve) details this Local File Inclusion vulnerability in the Cinerama WordPress theme, specifically referencing version 2.4. Security practitioners should review the advisory for recommended mitigations and available patches.