Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-28888

CVE-2025-28888: GiftXtore Path Traversal Vulnerability

CVE-2025-28888 is a path traversal flaw in BZOTheme GiftXtore that enables PHP local file inclusion attacks through improper filename control. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-28888 Overview

CVE-2025-28888 is a PHP Local File Inclusion (LFI) vulnerability in the BZOTheme GiftXtore WordPress theme (bw-giftxtore). The flaw stems from improper control of filenames used in PHP include or require statements [CWE-98]. Attackers can supply crafted input that causes the theme to load arbitrary local files through the PHP file inclusion mechanism. The issue affects all GiftXtore versions up to and including 1.7.7. Successful exploitation can lead to disclosure of sensitive configuration files, source code, or execution of attacker-controlled PHP if combined with file upload primitives.

Critical Impact

Remote, unauthenticated attackers can include arbitrary local files via the WordPress theme, exposing credentials in wp-config.php and potentially achieving code execution.

Affected Products

  • BZOTheme GiftXtore (bw-giftxtore) WordPress theme — all versions through 1.7.7
  • WordPress installations running GiftXtore versions prior to the fixed release
  • Sites that have not applied the Patchstack-tracked remediation

Discovery Timeline

  • 2025-06-09 - CVE-2025-28888 published to the National Vulnerability Database (NVD)
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-28888

Vulnerability Analysis

The vulnerability is categorized under [CWE-98], Improper Control of Filename for Include/Require Statement in PHP Program. GiftXtore passes user-controllable input into a PHP include or require call without sufficient validation or allow-listing. Although the CWE name references Remote File Inclusion, the Patchstack advisory confirms exploitation in this case is a Local File Inclusion. Attackers do not require authentication, and the attack is performed over the network against the WordPress front end. The vulnerable code path executes during normal theme request handling, so no administrative interaction is needed to trigger the include operation.

Root Cause

The theme accepts a request parameter that is concatenated into a filesystem path and then passed to a PHP file inclusion function. There is no canonicalization, no extension enforcement, and no restriction to a fixed directory. As a result, traversal sequences and absolute paths reach the include statement, allowing the PHP interpreter to load and execute any readable .php file on disk, or disclose contents of non-PHP files when streamed through certain wrappers.

Attack Vector

The attack is network-based and unauthenticated. An attacker issues an HTTP request to a vulnerable GiftXtore endpoint with a manipulated file parameter pointing at a sensitive local file, such as wp-config.php, log files, or uploaded media containing embedded PHP. The PHP runtime then evaluates the target file in the context of the WordPress process. When chained with an arbitrary file write or an attacker-controlled upload location, the LFI becomes a path to Remote Code Execution. Refer to the Patchstack WordPress Vulnerability advisory for the affected request surface.

Detection Methods for CVE-2025-28888

Indicators of Compromise

  • HTTP requests to GiftXtore theme paths containing traversal sequences such as ../, ..%2f, or absolute paths like /etc/passwd and wp-config.php
  • Web server access logs showing requests with query parameters whose values resemble filesystem paths or PHP filter wrappers like php://filter/convert.base64-encode/resource=
  • Unexpected outbound network connections from the PHP-FPM or web server process following suspicious theme requests
  • New or modified PHP files in wp-content/uploads/ or theme directories shortly after suspicious include requests

Detection Strategies

  • Inspect WordPress access logs for parameter values containing ../, null bytes (%00), or php:// wrappers targeting wp-content/themes/bw-giftxtore/
  • Deploy WAF rules that flag inclusion of sensitive filenames such as wp-config.php, .htaccess, /proc/self/environ, and /etc/passwd
  • Correlate web request anomalies with PHP error logs that show include() or require() failures referencing unexpected paths

Monitoring Recommendations

  • Enable verbose PHP logging for include/require failures and ship logs to a centralized analytics platform
  • Monitor file integrity in the WordPress installation, especially wp-config.php, theme files, and upload directories
  • Track outbound connections initiated by web server processes to identify post-exploitation command-and-control traffic

How to Mitigate CVE-2025-28888

Immediate Actions Required

  • Update the BZOTheme GiftXtore theme to a version later than 1.7.7 as soon as a fixed release is available from the vendor
  • Audit web and PHP error logs for prior exploitation attempts referencing bw-giftxtore endpoints with path traversal patterns
  • Rotate WordPress database credentials and any secrets stored in wp-config.php if exploitation is suspected
  • Restrict file system permissions so the web server account cannot read sensitive files outside the document root

Patch Information

The vulnerability affects GiftXtore versions up to and including 1.7.7. Consult the Patchstack WordPress Vulnerability advisory for the current fixed version and remediation guidance from the vendor.

Workarounds

  • Deploy a Web Application Firewall (WAF) rule that blocks requests to GiftXtore endpoints containing path traversal sequences or php:// stream wrappers
  • Set the PHP directive open_basedir to constrain file inclusion to the WordPress installation directory
  • Disable allow_url_include and allow_url_fopen in php.ini to prevent escalation to Remote File Inclusion
  • Temporarily deactivate the GiftXtore theme on internet-exposed sites until a patched release is installed
bash
# Configuration example: harden PHP against file inclusion abuse
# /etc/php/8.x/fpm/php.ini
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.