Cyber Resilience

CVE-2025-58958

High

Published: 22 October 2025

Published
22 October 2025
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58958 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Thememove Smilepure. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-58958 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, known as PHP Remote File Inclusion, that enables PHP Local File Inclusion in the SmilePure WordPress theme developed by ThemeMove. This issue affects SmilePure versions from n/a through those prior to 1.8.5.

Unauthenticated attackers can exploit the vulnerability over the network with high attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation allows high-impact consequences on confidentiality, integrity, and availability through the inclusion of arbitrary local files.

The Patchstack advisory details the vulnerability in the SmilePure WordPress theme and indicates it was fixed in version 1.8.5. Mitigation involves updating affected installations to SmilePure 1.8.5 or later.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove SmilePure smilepure allows PHP Local File Inclusion.This issue affects SmilePure: from n/a through < 1.8.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of public-facing WordPress theme via LFI/RFI vulnerability enables initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-22708Same vendor: Thememove
CVE-2025-14430Same vendor: Thememove
CVE-2025-54700Same vendor: Thememove
CVE-2025-59555Same vendor: Thememove
CVE-2025-14429Same vendor: Thememove
CVE-2025-22707Same vendor: Thememove
CVE-2025-54701Same vendor: Thememove
CVE-2025-58206Same vendor: Thememove
CVE-2025-60069Same vendor: Thememove
CVE-2025-59564Same vendor: Thememove

Affected Assets

thememove
smilepure
≤ 1.8.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and patching of the PHP Local File Inclusion flaw in SmilePure WordPress theme versions prior to 1.8.5.

prevent

Requires validation of filename inputs in PHP include/require statements to block arbitrary local file inclusion by unauthenticated attackers.

prevent

Restricts information inputs for file operations to whitelisted safe paths, preventing path traversal and local file inclusion exploits.

References