CVE-2025-67920

HighUpdated

Published: 08 January 2026

Published

08 January 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67920 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2025-67920 by requiring timely remediation through updating the vulnerable Neo Ocular WordPress theme to version 1.2 or later.

SI-10 Information Input Validation good match

prevent

Addresses the core issue of improper filename control in PHP include/require statements by enforcing validation of inputs to block local file inclusion exploitation.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables proactive identification of vulnerabilities like this PHP LFI in the Neo Ocular theme through regular scanning and monitoring.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an unauthenticated remote code execution via local file inclusion in a public-facing WordPress theme, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Neo Ocular neoocular allows PHP Local File Inclusion.This issue affects Neo Ocular: from n/a through < 1.2.

Deeper analysisAI

CVE-2025-67920 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, also known as PHP Remote File Inclusion, in the Elated-Themes Neo Ocular WordPress theme (neoocular). It enables PHP Local File Inclusion and affects all versions from n/a through those prior to 1.2. The vulnerability is associated with CWE-98 and carries a CVSS v3.1 base score of 8.1 (High), with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.

Remote unauthenticated attackers can exploit this vulnerability over the network without user interaction, though it requires high attack complexity. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, potentially enabling them to include and execute arbitrary local PHP files on the server.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/neoocular/vulnerability/wordpress-neo-ocular-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve details the vulnerability in the Neo Ocular WordPress theme, implying mitigation through updating to version 1.2 or later, as prior versions are affected.

Details

CWE(s): CWE-98

CVEs Like This One

CVE-2024-56281Shared CWE-98

CVE-2025-58958Shared CWE-98

CVE-2026-27052Shared CWE-98

CVE-2026-28096Shared CWE-98

CVE-2025-67935Shared CWE-98

CVE-2025-49941Shared CWE-98

CVE-2026-27990Shared CWE-98

CVE-2025-69062Shared CWE-98

CVE-2025-68543Shared CWE-98

CVE-2026-22449Shared CWE-98

References

https://patchstack.com/database/Wordpress/Theme/neoocular/vulnerability/wordpress-neo-ocular-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com