CVE-2025-69400
Published: 20 February 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-69400 is an Improper Control of Filename for Include/Require Statement vulnerability in PHP programs, specifically a PHP Remote File Inclusion issue that enables PHP Local File Inclusion (CWE-98). It affects the ThemeREX Yokoo WordPress theme, impacting all versions from n/a through 1.1.11. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Remote attackers can exploit this vulnerability over the network without requiring user privileges or interaction, though exploitation demands high attack complexity. Successful attacks allow attackers to include and potentially execute arbitrary local files on the server, leading to high confidentiality, integrity, and availability impacts, such as unauthorized access to sensitive data or system compromise.
The Patchstack advisory documents this Local File Inclusion vulnerability in the WordPress Yokoo theme up to version 1.1.11, providing details for affected users at https://patchstack.com/database/Wordpress/Theme/yokoo/vulnerability/wordpress-yokoo-theme-1-1-11-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a Local File Inclusion in a public-facing WordPress theme, directly enabling exploitation of a public-facing application.