CVE-2025-67526
Published: 09 December 2025
Summary
CVE-2025-67526 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-67526 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion (CWE-98), affecting the Sailing WordPress theme developed by ThimPress. The vulnerability impacts all versions of the Sailing theme prior to 4.4.6, with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Low-privileged authenticated users (PR:L) can exploit this vulnerability over the network (AV:N) with high attack complexity (AC:H) and no user interaction required (UI:N). Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability (C:I:A:H), potentially enabling local file inclusion to read sensitive files or execute arbitrary code if local PHP files are accessible.
Patchstack advisories recommend updating the Sailing WordPress theme to version 4.4.6 or later to mitigate this local file inclusion vulnerability, as detailed in their database entry.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-202118
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress Sailing sailing allows PHP Local File Inclusion.This issue affects Sailing: from n/a through < 4.4.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated Local File Inclusion (LFI) in a public-facing WordPress theme, directly enabling exploitation of a public-facing application for remote code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-67526 by requiring timely remediation of the known flaw through patching the vulnerable Sailing WordPress theme to version 4.4.6 or later.
Prevents exploitation of the PHP file inclusion vulnerability by validating filenames and paths used in include/require statements against expected safe content.
Blocks malicious file path inputs such as traversal sequences that enable local file inclusion in the Sailing theme's PHP code.