CVE-2025-67527
Published: 09 December 2025
Summary
CVE-2025-67527 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-67527 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Local File Inclusion issue (CWE-98), affecting the Digiqole WordPress theme developed by trippleS. The flaw enables local file inclusion through inadequate validation of filenames in PHP include/require statements. It impacts all versions of the Digiqole theme prior to 2.2.7, with the vulnerability published on 2025-12-09 and assigned a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges, such as an authenticated WordPress user, can exploit this vulnerability over the network with high attack complexity and no user interaction required. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially enabling arbitrary local file inclusion to read sensitive server files, modify data, or disrupt services.
The Patchstack advisory references indicate that the vulnerability is fixed in Digiqole theme version 2.2.7, recommending that users update to this version or later to mitigate the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-202117
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Digiqole digiqole allows PHP Local File Inclusion.This issue affects Digiqole: from n/a through < 2.2.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote file inclusion (RFI/LFI) vulnerability in public-facing WordPress theme enables exploitation of public-facing application for sensitive file disclosure or RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by identifying, reporting, and applying the patch released in Digiqole theme version 2.2.7.
Addresses the root cause by requiring validation of user-supplied filenames in PHP include/require statements to block local file inclusion.
Enforces secure PHP configuration settings, such as open_basedir restrictions, to limit the scope of local file access in the event of improper filename handling.