Cyber Resilience

CVE-2025-39458

High

Published: 19 May 2025

Published
19 May 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0143 81.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-39458 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Qodeinteractive Foton. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 18.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-39458 is a PHP local file inclusion vulnerability arising from improper control of filenames in include/require statements, tracked as CWE-98. It affects the Mikado-Themes Foton WordPress theme in all versions through 2.5.2 and carries a CVSS 3.1 score of 8.1.

An unauthenticated remote attacker can exploit the flaw over the network, albeit with high attack complexity, to include and execute arbitrary local PHP files. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability on the affected site without requiring user interaction.

The Patchstack advisory at the referenced URL documents the issue in the Foton theme and serves as the primary source for further details on affected code paths. The associated EPSS score has remained flat at 0.0143 with no material increase since disclosure.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Foton foton allows PHP Local File Inclusion.This issue affects Foton: from n/a through <= 2.5.2.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qodeinteractive
foton
≤ 2.6.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References