CVE-2025-69068

WordPress Muji theme <= 1.2.0 - Local File Inclusion vulnerability

CVSS 8.1 HIGHEPSS 0.5%CWE-98

In short

The WordPress Muji theme up to version 1.2.0 has a flaw that allows attackers to include and execute files from the server, potentially exposing sensitive information or running malicious code.

Technical detail

A PHP Local File Inclusion (LFI) vulnerability exists in the Muji theme due to improper control of filenames in include/require statements. An attacker can manipulate input parameters to include arbitrary local files, leading to information disclosure or remote code execution depending on file accessibility and server configuration.

Summary generated and translated by AI from the official description.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion.This issue affects Muji: from n/a through <= 1.2.0.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

AncoraThemes · Muji

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Theme/muji/vulnerability/wordpress-muji-theme-1-2-0-local-file-inclusion-vulnerability?_s_id=cve