CVE-2025-60199
Published: 06 November 2025
Summary
CVE-2025-60199 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-60199 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion, within the dedalx InHype Blog & Magazine WordPress Theme (inhype). It enables PHP Local File Inclusion and affects the theme from its initial release (n/a) through version 1.5.2. The issue is mapped to CWE-98 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility and significant impacts on confidentiality, integrity, and availability.
Unauthenticated remote attackers (PR:N) can exploit this vulnerability over the network (AV:N) without requiring user interaction (UI:N), though it demands high attack complexity (AC:H). Successful exploitation allows attackers to achieve high-level impacts, including unauthorized access to sensitive data (C:H), modification of system resources (I:H), and disruption of services (A:H), all within an unchanged security scope (S:U).
Advisories, including the Patchstack database entry (https://patchstack.com/database/Wordpress/Theme/inhype/vulnerability/wordpress-inhype-blog-magazine-wordpress-theme-theme-1-5-2-local-file-inclusion-vulnerability?_s_id=cve), document the vulnerability and provide details on affected versions for mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-38116
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx InHype - Blog & Magazine WordPress Theme inhype allows PHP Local File Inclusion.This issue affects InHype - Blog & Magazine WordPress Theme: from…
more
n/a through <= 1.5.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-60199 is a remote/local file inclusion vulnerability in a public-facing WordPress theme, directly enabling exploitation of a public-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates improper filename control in PHP include/require by validating and sanitizing user-supplied inputs to prevent local file inclusion.
Addresses the specific flaw in InHype WordPress theme versions <=1.5.2 through timely patching or replacement to eliminate the vulnerability.
Enforces secure PHP configuration settings like open_basedir restrictions and disabling dangerous functions to limit arbitrary file inclusion capabilities.