Cyber Resilience

CVE-2025-60048

High

Published: 18 December 2025

Published
18 December 2025
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0042 32.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60048 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Axiomthemes Tripster. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-60048 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, also known as PHP Remote File Inclusion (CWE-98), that enables PHP Local File Inclusion in the Tripster WordPress theme developed by axiomthemes. This flaw affects Tripster versions from n/a through 1.0.10 and was published on 2025-12-18.

The vulnerability carries a CVSS v3.1 base score of 8.1 (High), with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating exploitation over the network with high attack complexity but no privileges or user interaction required. Remote unauthenticated attackers can leverage this to achieve high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary local file reads via manipulated include/require statements.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Theme/tripster/vulnerability/wordpress-tripster-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve documents the Local File Inclusion issue specifically in Tripster version 1.0.10 and provides details on associated mitigations for WordPress environments.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Tripster tripster allows PHP Local File Inclusion.This issue affects Tripster: from n/a through <= 1.0.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

The vulnerability is a public-facing WordPress theme flaw (T1190) enabling local file inclusion for arbitrary local file reads (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-58940Same vendor: Axiomthemes
CVE-2025-58936Same vendor: Axiomthemes
CVE-2025-58709Same vendor: Axiomthemes
CVE-2025-58225Same vendor: Axiomthemes
CVE-2025-58944Same vendor: Axiomthemes
CVE-2025-58949Same vendor: Axiomthemes
CVE-2025-58929Same vendor: Axiomthemes
CVE-2025-53439Same vendor: Axiomthemes
CVE-2025-58934Same vendor: Axiomthemes
CVE-2025-53435Same vendor: Axiomthemes

Affected Assets

axiomthemes
tripster
≤ 1.0.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of the vulnerable Tripster theme to correct the improper filename control in PHP include/require statements.

prevent

Information input validation directly counters the PHP Local File Inclusion by ensuring filenames for include/require are properly validated and sanitized against path traversal.

prevent

Least privilege limits the web server's access to sensitive files, reducing the impact of successful LFI exploitation even if input validation fails.

References