CVE-2025-69322
Published: 20 February 2026
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-69322 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the fuelthemes PeakShops WordPress theme. This issue affects PeakShops versions from n/a through less than 1.5.9 and is associated with CWE-98.
The vulnerability can be exploited by unauthenticated remote attackers over the network, requiring high attack complexity but no user interaction or privileges. Exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
The Patchstack advisory for this WordPress theme vulnerability recommends updating to PeakShops version 1.5.9 as the primary mitigation.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE describes a public-facing WordPress theme vulnerability (PHP LFI/RFI) enabling exploitation of remote services (T1190) and unauthorized access to local files on the server (T1005).