CVE-2025-58958
Published: 22 October 2025
Summary
CVE-2025-58958 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Thememove Smilepure. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-58958 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, known as PHP Remote File Inclusion, that enables PHP Local File Inclusion in the SmilePure WordPress theme developed by ThemeMove. This issue affects SmilePure versions from n/a through those prior to 1.8.5.
Unauthenticated attackers can exploit the vulnerability over the network with high attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation allows high-impact consequences on confidentiality, integrity, and availability through the inclusion of arbitrary local files.
The Patchstack advisory details the vulnerability in the SmilePure WordPress theme and indicates it was fixed in version 1.8.5. Mitigation involves updating affected installations to SmilePure 1.8.5 or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-35451
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove SmilePure smilepure allows PHP Local File Inclusion.This issue affects SmilePure: from n/a through < 1.8.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing WordPress theme via LFI/RFI vulnerability enables initial access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely identification, reporting, and patching of the PHP Local File Inclusion flaw in SmilePure WordPress theme versions prior to 1.8.5.
Requires validation of filename inputs in PHP include/require statements to block arbitrary local file inclusion by unauthenticated attackers.
Restricts information inputs for file operations to whitelisted safe paths, preventing path traversal and local file inclusion exploits.