CVE-2025-69076

High

Published: 22 January 2026

Published

22 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 38.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Modern Housewife modernhousewife allows PHP Local File Inclusion.This issue affects Modern Housewife: from n/a through <= 1.0.12.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2025-69076 by requiring timely identification, reporting, and correction of the PHP local file inclusion flaw in the Modern Housewife WordPress theme.

SI-10 Information Input Validation good match

prevent

Prevents exploitation of the improper filename control in PHP include/require by validating user-supplied inputs for expected content and format to block local file inclusion.

CM-6 Configuration Settings partial match

prevent

Enforces secure configuration settings for PHP and web servers, such as restricting file access paths or disabling dangerous include features, to limit the impact of file inclusion vulnerabilities.

Security SummaryAI

CVE-2025-69076 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion in the Modern Housewife WordPress theme developed by AncoraThemes. The flaw affects all versions of the theme from n/a through 1.0.12 and is associated with CWE-98. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

Remote attackers can exploit this vulnerability over the network without authentication or user interaction, though it requires high attack complexity. Successful exploitation allows inclusion of local files via PHP's include/require statements, potentially enabling arbitrary file reads, modifications, or execution depending on server configuration and accessible files.

The Patchstack advisory provides details on this vulnerability in the Modern Housewife WordPress theme version 1.0.12, available at https://patchstack.com/database/Wordpress/Theme/modernhousewife/vulnerability/wordpress-modern-housewife-theme-1-0-12-local-file-inclusion-vulnerability?_s_id=cve. Security practitioners should consult this reference for recommended mitigations, such as updating the theme or applying available patches.

Details

CWE(s): CWE-98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a public-facing WordPress theme flaw (LFI via improper PHP include control) that unauthenticated remote attackers can exploit over the network, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/modernhousewife/vulnerability/wordpress-modern-housewife-theme-1-0-12-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com