CVE-2025-39458
Published: 19 May 2025
Summary
CVE-2025-39458 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Qodeinteractive Foton. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 18.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-39458 is a PHP local file inclusion vulnerability arising from improper control of filenames in include/require statements, tracked as CWE-98. It affects the Mikado-Themes Foton WordPress theme in all versions through 2.5.2 and carries a CVSS 3.1 score of 8.1.
An unauthenticated remote attacker can exploit the flaw over the network, albeit with high attack complexity, to include and execute arbitrary local PHP files. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability on the affected site without requiring user interaction.
The Patchstack advisory at the referenced URL documents the issue in the Foton theme and serves as the primary source for further details on affected code paths. The associated EPSS score has remained flat at 0.0143 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-15803
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Foton foton allows PHP Local File Inclusion.This issue affects Foton: from n/a through <= 2.5.2.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.