CVE-2025-69041
Published: 22 January 2026
Summary
CVE-2025-69041 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-69041 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98), in the Dekoro WordPress theme developed by goalthemes. This flaw affects all versions of Dekoro up to and including 1.0.7, where insufficient validation of filenames in PHP include/require statements allows attackers to manipulate file paths.
Remote unauthenticated attackers (AV:N/PR:N) can exploit this vulnerability over the network, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation grants high-impact access to confidential data, integrity modifications, and availability disruptions (C:H/I:H/A:H), with an unchanged scope (S:U), potentially allowing attackers to read sensitive local files on the server via crafted requests to the affected theme endpoints.
Patchstack advisories document this local file inclusion vulnerability in the Dekoro WordPress theme version 1.0.7 and earlier, providing details on the issue via their vulnerability database entry. Security practitioners should review the referenced advisory for specific patch availability or remediation steps, such as updating to a fixed version if released or applying custom filters to input validation in include statements.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3947
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Dekoro dekoro allows PHP Local File Inclusion.This issue affects Dekoro: from n/a through <= 1.0.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI vuln in public-facing WordPress theme directly enables remote exploitation of public apps (T1190) and reading of local system files (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the PHP Local File Inclusion flaw in Dekoro theme by applying patches or updates to fix improper filename validation in include/require statements.
Requires validation of filenames and file paths input to PHP include/require statements to block path manipulation by remote attackers.
Enforces secure PHP configuration settings such as open_basedir restrictions to limit the scope of local file access even if input validation fails.