CVE-2025-64373
Published: 18 December 2025
Summary
CVE-2025-64373 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-64373 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, known as PHP Remote File Inclusion, which allows PHP Local File Inclusion in the shinetheme Traveler WordPress theme. This issue affects Traveler versions from n/a through those prior to 3.2.6, as documented in the CVE description published on 2025-12-18.
The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation is possible by unauthenticated remote attackers requiring high attack complexity but no user interaction. Attackers can achieve high impacts on confidentiality, integrity, and availability, enabling local file inclusion that may lead to arbitrary file reads, data disclosure, or potential code execution depending on server configuration.
Patchstack advisories detail the vulnerability in the Traveler theme and note it is addressed in version 3.2.6, recommending updates to this or later versions for mitigation. See https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-6-local-file-inclusion-vulnerability?_s_id=cve for full details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-204059
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in shinetheme Traveler traveler allows PHP Local File Inclusion.This issue affects Traveler: from n/a through < 3.2.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
T1190 for exploiting the public-facing WordPress theme vulnerability (LFI via improper filename control in PHP include/require). T1005 enabled by LFI allowing arbitrary local file reads and data disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the PHP Local File Inclusion vulnerability by requiring timely installation of the vendor patch in Traveler theme version 3.2.6.
Mandates validation of untrusted inputs to PHP include/require statements, directly addressing the improper filename control that enables local file inclusion.
Enforces restrictive PHP configuration settings such as open_basedir or disable_functions to limit file access paths and mitigate LFI exploitation even if the application flaw persists.