CVE-2025-69402
Published: 20 February 2026
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-69402 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified under CWE-98 and commonly known as PHP Remote File Inclusion, that enables PHP Local File Inclusion in the ThemeREX R&F (rf) WordPress theme. This flaw affects all versions of the rf theme from n/a through 1.5 inclusive.
The vulnerability can be exploited by unauthenticated remote attackers (AV:N/PR:N/UI:N) over the network, though it requires high attack complexity (AC:H) with unchanged scope (S:U). Successful exploitation yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), scoring 8.1 on the CVSS:3.1 scale, potentially allowing attackers to include and execute arbitrary local files, disclose sensitive data, or achieve code execution on the targeted server.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/rf/vulnerability/wordpress-r-f-theme-1-5-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE allows unauthenticated remote exploitation of a public-facing WordPress theme via LFI (T1190), enabling disclosure of sensitive local files (T1005).