CVE-2025-69410

CVE-2025-69410 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Edge-Themes Belletrist WordPress theme. This issue affects Belletrist versions from n/a through 1.2. It is associated with CWE-98 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, high attack complexity, no privileges or user interaction required, and high impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely by manipulating filename controls in PHP include/require statements within the affected theme. Exploitation requires high complexity but allows adversaries to include and execute local PHP files, potentially leading to unauthorized access, code execution, data disclosure, modification, or denial of service aligning with the high CIA triad impacts.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/belletrist/vulnerability/wordpress-belletrist-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve documents the Local File Inclusion vulnerability in the Belletrist WordPress theme version 1.2. The CVE was published on 2026-02-20T16:22:29.157.