CVE-2025-69075

WordPress Yolox theme <= 1.0.15 - Local File Inclusion vulnerability

CVSS 8.1 HIGHEPSS 0.5%CWE-98

In short

The WordPress Yolox theme up to version 1.0.15 has a flaw that lets attackers read or execute arbitrary files from the server by manipulating input that controls which files the site loads. This can expose sensitive data or allow unauthorized code execution.

Technical detail

CWE-98 vulnerability in the Yolox theme's file inclusion mechanism fails to properly validate user-supplied input used in PHP include/require statements, enabling local file inclusion (LFI). An unauthenticated attacker can exploit this to read sensitive files or, in certain configurations, achieve remote code execution by including malicious files.

Summary generated and translated by AI from the official description.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Yolox yolox allows PHP Local File Inclusion.This issue affects Yolox: from n/a through <= 1.0.15.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

AncoraThemes · Yolox

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Theme/yolox/vulnerability/wordpress-yolox-theme-1-0-15-local-file-inclusion-vulnerability?_s_id=cve