CVE-2025-69059

WordPress DiveIt theme <= 1.4.3 - Local File Inclusion vulnerability

CVSS 8.1 HIGHEPSS 0.5%CWE-98

In short

The DiveIt WordPress theme allows attackers to include and execute arbitrary local files on the server through improper input handling. This can lead to sensitive data exposure or remote code execution if combined with other techniques.

Technical detail

A PHP Local File Inclusion (LFI) vulnerability exists in DiveIt theme <= 1.4.3 due to improper validation of filename parameters in include/require statements (CWE-98). An unauthenticated attacker can manipulate input to include arbitrary files from the server, potentially leading to information disclosure or code execution depending on file permissions and availability.

Summary generated and translated by AI from the official description.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion.This issue affects DiveIt: from n/a through <= 1.4.3.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

AncoraThemes · DiveIt

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Theme/diveit/vulnerability/wordpress-diveit-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve