CVE-2025-69070
Published: 22 January 2026
Summary
CVE-2025-69070 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-69070 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Tornados WordPress theme developed by AncoraThemes. The issue affects all versions of Tornados from n/a through 2.1. It is associated with CWE-98 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility and significant impacts on confidentiality, integrity, and availability.
The vulnerability can be exploited by unauthenticated attackers over the network, though it requires high attack complexity and no user interaction. Successful exploitation allows local file inclusion, potentially enabling attackers to read sensitive local files or execute arbitrary code if configurable PHP files are accessible, resulting in high-level compromise of the affected WordPress site.
The Patchstack advisory provides details on this WordPress Tornados theme vulnerability, including assessment and recommended actions for mitigation.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3914
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tornados tornados allows PHP Local File Inclusion.This issue affects Tornados: from n/a through <= 2.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct network-exploitable LFI/RFI in public-facing WordPress theme enables initial access via T1190; arbitrary code execution and local file reads are secondary effects of successful exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the improper filename control flaw in the Tornados WordPress theme by identifying, reporting, and applying patches to vulnerable versions up to 2.1.
Enforces validation of information inputs, such as user-supplied filenames in PHP include/require statements, to prevent local file inclusion exploitation.
Establishes and enforces secure configuration settings for PHP environments, like open_basedir restrictions, to limit the scope of local file inclusion attacks.