CVE-2025-24760 Overview
CVE-2025-24760 is a PHP Local File Inclusion (LFI) vulnerability in the goalthemes Sofass WordPress theme. The flaw stems from improper control of filenames used in include or require statements [CWE-98]. Attackers can manipulate file path parameters to load arbitrary PHP files from the server. The vulnerability affects all versions of Sofass through 1.3.4. Successful exploitation can lead to disclosure of sensitive server files and, in many cases, remote code execution when an attacker controls includable content on the server.
Critical Impact
Network-based attackers without authentication can include arbitrary local PHP files, compromising confidentiality, integrity, and availability of the WordPress installation.
Affected Products
- goalthemes Sofass WordPress theme versions through 1.3.4
- WordPress sites running any vulnerable Sofass release
- Web servers hosting unpatched Sofass deployments
Discovery Timeline
- 2025-06-27 - CVE-2025-24760 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-24760
Vulnerability Analysis
The Sofass theme passes attacker-influenced input into a PHP include or require statement without sufficient validation. PHP resolves the supplied path and executes any matching local file as PHP code. This pattern, classified under [CWE-98], is the root of Local and Remote File Inclusion bugs. An unauthenticated remote attacker can request a crafted URL that points the include directive to log files, uploaded media, session files, or other writable paths. When such a file contains attacker-supplied content, the inclusion results in arbitrary PHP execution under the web server account. The EPSS probability for exploitation is 0.547% at the 68th percentile, indicating measurable interest from opportunistic attackers scanning WordPress installations.
Root Cause
The theme builds an include path from user-controllable input — typically a query parameter or POST field — without enforcing an allowlist or sanitizing directory traversal sequences. PHP then resolves the path relative to the theme directory and executes any file it finds, regardless of its intended purpose.
Attack Vector
An unauthenticated attacker sends an HTTP request to a Sofass theme endpoint, supplying a manipulated path parameter containing ../ sequences or absolute paths. The server includes the target file and executes its contents as PHP. Refer to the Patchstack Vulnerability Advisory for the technical write-up.
// No verified exploit code is published.
// See the Patchstack advisory for technical details.
Detection Methods for CVE-2025-24760
Indicators of Compromise
- HTTP requests to Sofass theme paths containing ../, ..%2f, or null-byte sequences in query parameters
- Web server access logs showing parameters that reference /etc/passwd, wp-config.php, or PHP session files
- Unexpected PHP processes spawning shell commands originating from the web server user
Detection Strategies
- Inspect WordPress access logs for requests targeting Sofass theme PHP files with path-like parameter values
- Monitor file integrity on wp-content/themes/sofass/ for unauthorized modifications or new files
- Alert on PHP error log entries referencing failed include or require operations against unexpected paths
Monitoring Recommendations
- Forward WordPress and web server logs to a centralized analytics platform for correlation across hosts
- Track outbound network connections from PHP-FPM or Apache worker processes to identify post-exploitation callbacks
- Enable WordPress audit logging to capture theme and plugin changes that may indicate webshell placement
How to Mitigate CVE-2025-24760
Immediate Actions Required
- Take vulnerable Sofass installations offline or restrict public access until a patch is applied
- Audit the WordPress filesystem for unauthorized PHP files in uploads, theme, and plugin directories
- Rotate WordPress administrator credentials, database passwords, and API keys stored in wp-config.php
Patch Information
No fixed version is identified in the available advisory data. The vulnerability affects Sofass releases through 1.3.4. Site operators should consult the Patchstack Vulnerability Advisory for vendor remediation status and apply any updated theme release as soon as it becomes available.
Workarounds
- Deploy a web application firewall rule that blocks directory traversal sequences in request parameters targeting the Sofass theme
- Disable the Sofass theme and switch to a supported alternative until a fixed version is released
- Set open_basedir and disable_functions directives in php.ini to limit which files PHP can include and execute
# Example php.ini hardening to limit file inclusion scope
open_basedir = "/var/www/html/:/tmp/"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"
allow_url_include = Off
allow_url_fopen = Off
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

