CVE-2025-58940
Published: 18 December 2025
Summary
CVE-2025-58940 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Axiomthemes Basil. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the LFI vulnerability by identifying, reporting, and correcting the improper filename control flaw in the Basil WordPress theme through patching as per advisories.
Prevents exploitation of the PHP Local File Inclusion by validating filenames and paths used in include/require statements against allowed values.
Mitigates potential impact of LFI by enforcing restrictive PHP configuration settings like open_basedir to limit accessible local files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of a public-facing WordPress theme (T1190) via LFI, directly facilitating arbitrary local file inclusion for data theft (T1005).
NVD Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Basil basil allows PHP Local File Inclusion.This issue affects Basil: from n/a through <= 1.3.12.
Deeper analysisAI
CVE-2025-58940 is an Improper Control of Filename for Include/Require Statement vulnerability in PHP programs, classified as a PHP Remote File Inclusion issue but manifesting as PHP Local File Inclusion (LFI), affecting the Basil WordPress theme developed by axiomthemes. The vulnerability impacts Basil theme versions from n/a through 1.3.12 inclusive. It is associated with CWE-98 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility and significant impacts despite requiring high attack complexity.
Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction or privileges. Exploitation enables high confidentiality, integrity, and availability impacts, allowing inclusion of arbitrary local files, which could lead to sensitive data exposure, server modification, or disruption depending on the target's configuration.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/basil/vulnerability/wordpress-basil-theme-1-3-12-local-file-inclusion-vulnerability?_s_id=cve, which documents the LFI vulnerability specific to the WordPress Basil theme version 1.3.12.
Details
- CWE(s)