Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-24760

CVE-2025-24760: Sofass Theme PHP File Inclusion Flaw

CVE-2025-24760 is a PHP local file inclusion vulnerability in goalthemes Sofass theme that allows attackers to include malicious files. This article covers the technical details, affected versions up to 1.3.4, and steps to secure your installation.

Updated:

CVE-2025-24760 Overview

CVE-2025-24760 is a PHP Local File Inclusion (LFI) vulnerability in the goalthemes Sofass WordPress theme. The flaw stems from improper control of filenames used in include or require statements [CWE-98]. Attackers can manipulate file path parameters to load arbitrary PHP files from the server. The vulnerability affects all versions of Sofass through 1.3.4. Successful exploitation can lead to disclosure of sensitive server files and, in many cases, remote code execution when an attacker controls includable content on the server.

Critical Impact

Network-based attackers without authentication can include arbitrary local PHP files, compromising confidentiality, integrity, and availability of the WordPress installation.

Affected Products

  • goalthemes Sofass WordPress theme versions through 1.3.4
  • WordPress sites running any vulnerable Sofass release
  • Web servers hosting unpatched Sofass deployments

Discovery Timeline

  • 2025-06-27 - CVE-2025-24760 published to NVD
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-24760

Vulnerability Analysis

The Sofass theme passes attacker-influenced input into a PHP include or require statement without sufficient validation. PHP resolves the supplied path and executes any matching local file as PHP code. This pattern, classified under [CWE-98], is the root of Local and Remote File Inclusion bugs. An unauthenticated remote attacker can request a crafted URL that points the include directive to log files, uploaded media, session files, or other writable paths. When such a file contains attacker-supplied content, the inclusion results in arbitrary PHP execution under the web server account. The EPSS probability for exploitation is 0.547% at the 68th percentile, indicating measurable interest from opportunistic attackers scanning WordPress installations.

Root Cause

The theme builds an include path from user-controllable input — typically a query parameter or POST field — without enforcing an allowlist or sanitizing directory traversal sequences. PHP then resolves the path relative to the theme directory and executes any file it finds, regardless of its intended purpose.

Attack Vector

An unauthenticated attacker sends an HTTP request to a Sofass theme endpoint, supplying a manipulated path parameter containing ../ sequences or absolute paths. The server includes the target file and executes its contents as PHP. Refer to the Patchstack Vulnerability Advisory for the technical write-up.

// No verified exploit code is published.
// See the Patchstack advisory for technical details.

Detection Methods for CVE-2025-24760

Indicators of Compromise

  • HTTP requests to Sofass theme paths containing ../, ..%2f, or null-byte sequences in query parameters
  • Web server access logs showing parameters that reference /etc/passwd, wp-config.php, or PHP session files
  • Unexpected PHP processes spawning shell commands originating from the web server user

Detection Strategies

  • Inspect WordPress access logs for requests targeting Sofass theme PHP files with path-like parameter values
  • Monitor file integrity on wp-content/themes/sofass/ for unauthorized modifications or new files
  • Alert on PHP error log entries referencing failed include or require operations against unexpected paths

Monitoring Recommendations

  • Forward WordPress and web server logs to a centralized analytics platform for correlation across hosts
  • Track outbound network connections from PHP-FPM or Apache worker processes to identify post-exploitation callbacks
  • Enable WordPress audit logging to capture theme and plugin changes that may indicate webshell placement

How to Mitigate CVE-2025-24760

Immediate Actions Required

  • Take vulnerable Sofass installations offline or restrict public access until a patch is applied
  • Audit the WordPress filesystem for unauthorized PHP files in uploads, theme, and plugin directories
  • Rotate WordPress administrator credentials, database passwords, and API keys stored in wp-config.php

Patch Information

No fixed version is identified in the available advisory data. The vulnerability affects Sofass releases through 1.3.4. Site operators should consult the Patchstack Vulnerability Advisory for vendor remediation status and apply any updated theme release as soon as it becomes available.

Workarounds

  • Deploy a web application firewall rule that blocks directory traversal sequences in request parameters targeting the Sofass theme
  • Disable the Sofass theme and switch to a supported alternative until a fixed version is released
  • Set open_basedir and disable_functions directives in php.ini to limit which files PHP can include and execute
bash
# Example php.ini hardening to limit file inclusion scope
open_basedir = "/var/www/html/:/tmp/"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"
allow_url_include = Off
allow_url_fopen = Off

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.