Cyber Resilience

CVE-2025-54700

High

Published: 14 August 2025

Published
14 August 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0055 68.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54700 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Thememove Makeaholic. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-54700 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the ThemeMove Makeaholic WordPress theme. The issue affects Makeaholic versions from n/a through 1.8.4 and is associated with CWE-98. Published on 2025-08-14, it carries a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A network-based attacker requires no privileges or user interaction but must overcome high attack complexity to exploit the vulnerability remotely. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing arbitrary local file inclusion.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/makeaholic/vulnerability/wordpress-makeaholic-theme-1-8-4-local-file-inclusion-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Makeaholic makeaholic allows PHP Local File Inclusion.This issue affects Makeaholic: from n/a through <= 1.8.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct LFI vulnerability in public-facing WordPress theme enables remote exploitation of the web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-22708Same vendor: Thememove
CVE-2025-14430Same vendor: Thememove
CVE-2025-59555Same vendor: Thememove
CVE-2025-14429Same vendor: Thememove
CVE-2025-22707Same vendor: Thememove
CVE-2025-58958Same vendor: Thememove
CVE-2025-54701Same vendor: Thememove
CVE-2025-58206Same vendor: Thememove
CVE-2025-60069Same vendor: Thememove
CVE-2025-59564Same vendor: Thememove

Affected Assets

thememove
makeaholic
≤ 1.8.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-54700 by requiring identification, reporting, and timely patching or replacement of the vulnerable Makeaholic WordPress theme versions through 1.8.4.

prevent

Prevents exploitation of the PHP Local File Inclusion vulnerability by enforcing validation of user-supplied filenames used in include/require statements to reject arbitrary paths.

prevent

Hardens PHP and web server configurations with restrictive settings like open_basedir to limit file access paths exploitable by the improper filename control in the Makeaholic theme.

References