Cyber Resilience

CVE-2025-67934

High

Published: 08 January 2026

Published
08 January 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0043 34.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-67934 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Qodeinteractive Wellspring. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-67934 is an Improper Control of Filename for Include/Require Statement vulnerability, classified as a PHP Local File Inclusion (LFI) issue, affecting the Wellspring WordPress theme developed by Mikado-Themes. Despite the descriptor referencing PHP Remote File Inclusion, the vulnerability enables local file inclusion. It impacts all versions of Wellspring from n/a through those prior to 2.8, as published on 2026-01-08 with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-98.

Unauthenticated attackers can exploit this vulnerability remotely over the network, requiring high attack complexity but no user interaction or privileges. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing attackers to include and execute arbitrary local files on the server.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/wellspring/vulnerability/wordpress-wellspring-theme-2-8-local-file-inclusion-vulnerability?_s_id=cve details the local file inclusion vulnerability in the Wellspring theme and indicates mitigation via update to version 2.8 or later.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

LFI in public-facing WordPress theme directly enables remote exploitation (T1190) and arbitrary local file execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67935Same vendor: Qodeinteractive
CVE-2025-39466Same vendor: Qodeinteractive
CVE-2025-69034Same vendor: Qodeinteractive
CVE-2025-67936Same vendor: Qodeinteractive
CVE-2025-67515Same vendor: Qodeinteractive
CVE-2025-67937Same vendor: Qodeinteractive
CVE-2025-53248Shared CWE-98
CVE-2025-30831Shared CWE-98
CVE-2026-25027Shared CWE-98
CVE-2025-1707Shared CWE-98

Affected Assets

qodeinteractive
wellspring
≤ 2.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the LFI flaw in Wellspring WordPress theme versions prior to 2.8 to eliminate the improper filename control vulnerability.

prevent

Enforces validation of untrusted filename inputs to PHP include/require statements, preventing arbitrary local file inclusion exploitation.

detect

Facilitates identification of the CVE-2025-67934 LFI vulnerability in the Wellspring theme through regular vulnerability scanning, enabling remediation.

References