CVE-2025-48160
Published: 20 August 2025
Summary
CVE-2025-48160 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-48160 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the CocoBasic Caliris caliris-wp WordPress theme. This issue affects Caliris versions from n/a through 1.5 inclusive. It is associated with CWE-98 and carries a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility and potential for significant impacts on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network, requiring high attack complexity but no privileges or user interaction. Exploitation allows attackers to perform local file inclusion, potentially leading to unauthorized access to sensitive local files or, in some cases, arbitrary code execution depending on the included files and server configuration.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/caliris-wp/vulnerability/wordpress-caliris-1-5-local-file-inclusion-vulnerability?_s_id=cve details this Local File Inclusion vulnerability specifically in the caliris-wp WordPress theme version 1.5.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25281
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CocoBasic Caliris caliris-wp allows PHP Local File Inclusion.This issue affects Caliris: from n/a through <= 1.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI vuln in public-facing WordPress theme directly enables remote exploitation (T1190) and web shell/code execution (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-supplied filenames prior to use in PHP include/require statements, preventing LFI exploitation in the Caliris WordPress theme.
Mandates timely identification, reporting, and patching of known flaws like this PHP LFI vulnerability affecting Caliris versions through 1.5.
Enforces least privilege on file system resources, preventing the web server process from accessing sensitive local files even if improperly included.