CVE-2025-69407
Published: 20 February 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-69407 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion, within the Select-Themes Struktur WordPress theme. It enables PHP Local File Inclusion and affects all versions of Struktur from n/a through 2.5.1. The issue is mapped to CWE-98 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited remotely over the network by unauthenticated attackers with no required privileges or user interaction, though it demands high attack complexity. Successful exploitation grants high-impact confidentiality, integrity, and availability consequences, potentially allowing attackers to include and execute local files on the server.
The Patchstack advisory provides details on this Local File Inclusion vulnerability in the Struktur WordPress theme version 2.5.1, available at https://patchstack.com/database/Wordpress/Theme/struktur/vulnerability/wordpress-struktur-theme-2-5-1-local-file-inclusion-vulnerability?_s_id=cve. Practitioners should consult it for recommended mitigations or patches.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
This LFI vulnerability in a public-facing WordPress theme allows remote unauthenticated attackers to include and execute local PHP files, leading to arbitrary code execution, directly enabling T1190: Exploit Public-Facing Application.