Cyber Resilience

CVE-2025-68540

High

Published: 24 December 2025

Published
24 December 2025
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 28.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68540 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-68540 is an Improper Control of Filename for Include/Require Statement vulnerability, referred to as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the thembay Fana WordPress theme. This issue affects Fana versions from n/a through 1.1.35 and is associated with CWE-98. The vulnerability was published on 2025-12-24.

Attackers with low privileges (PR:L) can exploit this over the network (AV:N) with high attack complexity (AC:H) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS v3.1 base score is 7.5 with unchanged scope (S:U). Successful exploitation allows local file inclusion, potentially enabling attackers to read sensitive files or execute arbitrary code depending on server configuration.

The Patchstack advisory documents this as a Local File Inclusion vulnerability in the WordPress Fana theme up to version 1.1.35, recommending mitigation through updating to a patched version.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote exploitation of a public-facing WordPress theme via PHP Local File Inclusion enables remote code execution or sensitive file disclosure, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28087Shared CWE-98
CVE-2025-23952Shared CWE-98
CVE-2026-32505Shared CWE-98
CVE-2025-48149Shared CWE-98
CVE-2025-60058Shared CWE-98
CVE-2025-49994Shared CWE-98
CVE-2026-24531Shared CWE-98
CVE-2025-67527Shared CWE-98
CVE-2025-69396Shared CWE-98
CVE-2025-62067Shared CWE-98

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediates the specific flaw in the Fana WordPress theme up to version 1.1.35, preventing exploitation of the PHP local file inclusion vulnerability as recommended by Patchstack.

prevent

Validates filenames and paths supplied to PHP include/require statements, directly countering the improper control that enables local file inclusion.

detect

Scans for and identifies the presence of the vulnerable Fana theme version, enabling proactive flaw remediation before exploitation.

References