CVE-2025-68540
Published: 24 December 2025
Summary
CVE-2025-68540 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-68540 is an Improper Control of Filename for Include/Require Statement vulnerability, referred to as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the thembay Fana WordPress theme. This issue affects Fana versions from n/a through 1.1.35 and is associated with CWE-98. The vulnerability was published on 2025-12-24.
Attackers with low privileges (PR:L) can exploit this over the network (AV:N) with high attack complexity (AC:H) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS v3.1 base score is 7.5 with unchanged scope (S:U). Successful exploitation allows local file inclusion, potentially enabling attackers to read sensitive files or execute arbitrary code depending on server configuration.
The Patchstack advisory documents this as a Local File Inclusion vulnerability in the WordPress Fana theme up to version 1.1.35, recommending mitigation through updating to a patched version.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-205187
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a public-facing WordPress theme via PHP Local File Inclusion enables remote code execution or sensitive file disclosure, directly mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediates the specific flaw in the Fana WordPress theme up to version 1.1.35, preventing exploitation of the PHP local file inclusion vulnerability as recommended by Patchstack.
Validates filenames and paths supplied to PHP include/require statements, directly countering the improper control that enables local file inclusion.
Scans for and identifies the presence of the vulnerable Fana theme version, enabling proactive flaw remediation before exploitation.