CVE-2025-58944
Published: 18 December 2025
Summary
CVE-2025-58944 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Axiomthemes Manufactory. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, reporting, and patching of the PHP local file inclusion flaw in the vulnerable Manufactory WordPress theme.
Prevents exploitation by enforcing validation of user-supplied filenames prior to their use in PHP include/require statements, blocking malicious local file paths.
Enables detection of the PHP LFI vulnerability in the Manufactory theme through ongoing vulnerability scanning of web applications and components.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote exploitation of a public-facing WordPress theme via LFI (T1190), enabling reading of sensitive local files (T1005).
NVD Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Manufactory manufactory allows PHP Local File Inclusion.This issue affects Manufactory: from n/a through <= 1.4.
Deeper analysisAI
CVE-2025-58944 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Manufactory WordPress theme developed by axiomthemes. This issue affects Manufactory versions from n/a through 1.4 inclusive. It is associated with CWE-98 and carries a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility and significant impacts on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction, though it requires high attack complexity. Exploitation allows local file inclusion, potentially enabling attackers to read sensitive files, execute arbitrary code if PHP files are included, or disrupt system availability.
The Patchstack advisory provides further details on this WordPress Manufactory theme vulnerability, available at https://patchstack.com/database/Wordpress/Theme/manufactory/vulnerability/wordpress-manufactory-theme-1-4-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)