CVE-2025-68984
Published: 30 December 2025
Summary
CVE-2025-68984 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-68984 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98), affecting the Puca WordPress theme developed by thembay. The issue impacts all versions of Puca up to and including 2.6.39. It carries a CVSS v3.1 base score of 7.5 (High), with vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility but high attack complexity and a requirement for low privileges.
An attacker with low-privileged access, such as an authenticated WordPress user, can exploit this over the network by manipulating filename controls in PHP include/require statements. Successful exploitation allows high-impact confidentiality, integrity, and availability violations, potentially enabling local file disclosure or inclusion that could lead to further compromise depending on server configuration.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/puca/vulnerability/wordpress-puca-theme-2-6-39-local-file-inclusion-vulnerability?_s_id=cve provides details on the vulnerability in the Puca theme version 2.6.39, including recommended mitigations such as updating to a patched version where available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-205751
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Puca puca allows PHP Local File Inclusion.This issue affects Puca: from n/a through <= 2.6.39.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress theme enables public-facing app exploitation (T1190), reading local files for data collection (T1005), and accessing credentials in files like wp-config.php (T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and patching of flaws like the PHP local file inclusion vulnerability in the Puca WordPress theme up to version 2.6.39.
Mandates validation of filenames supplied to PHP include/require statements, directly preventing manipulation leading to local file inclusion.
Vulnerability scanning detects PHP remote/local file inclusion issues in components like the Puca theme, enabling proactive remediation.