CVE-2025-69071

WordPress TanTum theme <= 1.1.13 - Local File Inclusion vulnerability

CVSS 8.1 HIGHEPSS 0.5%CWE-98

In short

The WordPress TanTum theme versions 1.1.13 and earlier contain a vulnerability that allows attackers to include and execute arbitrary local files on the server. This can lead to unauthorized access to sensitive information or complete site compromise.

Technical detail

A PHP Local File Inclusion (LFI) vulnerability exists in the TanTum theme due to improper control of filenames in include/require statements. An unauthenticated attacker can manipulate file path parameters to include arbitrary local files, potentially leading to information disclosure or remote code execution if combined with file upload mechanisms.

Summary generated and translated by AI from the official description.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes TanTum tantum allows PHP Local File Inclusion.This issue affects TanTum: from n/a through <= 1.1.13.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

AncoraThemes · TanTum

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Theme/tantum/vulnerability/wordpress-tantum-theme-1-1-13-local-file-inclusion-vulnerability?_s_id=cve