CVE-2025-60048
Published: 18 December 2025
Summary
CVE-2025-60048 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Axiomthemes Tripster. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires timely patching of the vulnerable Tripster theme to correct the improper filename control in PHP include/require statements.
Information input validation directly counters the PHP Local File Inclusion by ensuring filenames for include/require are properly validated and sanitized against path traversal.
Least privilege limits the web server's access to sensitive files, reducing the impact of successful LFI exploitation even if input validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a public-facing WordPress theme flaw (T1190) enabling local file inclusion for arbitrary local file reads (T1005).
NVD Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Tripster tripster allows PHP Local File Inclusion.This issue affects Tripster: from n/a through <= 1.0.10.
Deeper analysisAI
CVE-2025-60048 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, also known as PHP Remote File Inclusion (CWE-98), that enables PHP Local File Inclusion in the Tripster WordPress theme developed by axiomthemes. This flaw affects Tripster versions from n/a through 1.0.10 and was published on 2025-12-18.
The vulnerability carries a CVSS v3.1 base score of 8.1 (High), with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating exploitation over the network with high attack complexity but no privileges or user interaction required. Remote unauthenticated attackers can leverage this to achieve high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary local file reads via manipulated include/require statements.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Theme/tripster/vulnerability/wordpress-tripster-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve documents the Local File Inclusion issue specifically in Tripster version 1.0.10 and provides details on associated mitigations for WordPress environments.
Details
- CWE(s)