CVE-2025-64363 Overview
CVE-2025-64363 is a PHP Local File Inclusion (LFI) vulnerability affecting the SeventhQueen Kleo WordPress theme. The flaw stems from improper control of filenames passed to PHP include or require statements [CWE-98]. Authenticated attackers with low privileges can exploit the issue over the network to include arbitrary local files. Successful exploitation can disclose sensitive configuration data, leak credentials, or lead to code execution when attackers control includable file content. The vulnerability affects all Kleo theme versions up to and including 5.5.0.
Critical Impact
Authenticated attackers can include arbitrary PHP files on the WordPress server, exposing sensitive data and potentially achieving code execution.
Affected Products
- SeventhQueen Kleo WordPress Theme versions prior to 5.5.0
- WordPress sites using the Kleo theme up to version 5.5.0
- Any WordPress installation with the vulnerable Kleo theme active
Discovery Timeline
- 2025-10-31 - CVE-2025-64363 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-64363
Vulnerability Analysis
The vulnerability resides in the Kleo theme's handling of file paths supplied to PHP include or require statements. The theme accepts user-controlled input that is concatenated into a file path without sufficient sanitization or allow-list validation. PHP then loads and executes the targeted file in the context of the WordPress process.
Although the advisory classifies the weakness as PHP Remote File Inclusion (RFI), the realized impact is Local File Inclusion (LFI). An attacker can traverse directories using sequences such as ../ to reach files outside the intended theme directory. Targets typically include wp-config.php, log files, and uploaded payloads that contain PHP code.
The attack requires low-privilege authentication, meaning any authenticated user role with access to the vulnerable endpoint can attempt exploitation. The EPSS score is 0.109% with a percentile of 28.66, indicating limited observed exploitation activity at this time.
Root Cause
The root cause is improper control of the filename argument used in a PHP include, include_once, require, or require_once statement. The theme fails to enforce an allow-list of permitted files or to canonicalize and validate the resulting path against an expected base directory.
Attack Vector
The attacker authenticates to the target WordPress site with low privileges and sends a crafted request to the vulnerable Kleo theme endpoint. The malicious parameter contains a relative or absolute path pointing to a sensitive file. PHP resolves the path and executes or returns the contents of the included file.
For technical details and proof-of-concept references, consult the Patchstack Vulnerability Report.
Detection Methods for CVE-2025-64363
Indicators of Compromise
- HTTP requests to Kleo theme endpoints containing ../ sequences or absolute paths in query parameters
- Access log entries referencing wp-config.php, /etc/passwd, or other sensitive system files in request parameters
- Unexpected PHP errors in web server logs referencing include() or require() with unusual file paths
- Unauthorized read of WordPress configuration data or sudden credential reuse following Kleo theme requests
Detection Strategies
- Inspect web server access logs for requests targeting Kleo theme PHP files with suspicious file path parameters
- Deploy web application firewall (WAF) rules that block path traversal patterns in WordPress theme parameters
- Monitor PHP error logs for failed to open stream or No such file or directory messages tied to dynamic includes
- Correlate low-privilege user sessions with anomalous file access patterns on theme endpoints
Monitoring Recommendations
- Enable file integrity monitoring on wp-config.php and other WordPress configuration files
- Alert on outbound connections from the web server process that follow successful theme requests
- Track authentication events for low-privilege accounts that suddenly access theme administration endpoints
- Forward WordPress and web server logs to a centralized SIEM for correlation and retention
How to Mitigate CVE-2025-64363
Immediate Actions Required
- Update the SeventhQueen Kleo theme to a version later than 5.5.0 as soon as the vendor publishes a fix
- Audit WordPress user accounts and remove or restrict low-privilege roles that are not required
- Rotate WordPress secrets, database credentials, and API keys stored in wp-config.php if exploitation is suspected
- Review web server access logs for prior exploitation attempts referencing Kleo theme paths
Patch Information
The vendor advisory tracked by Patchstack identifies all versions up to and including 5.5.0 as vulnerable. Site operators should monitor the Patchstack Vulnerability Report and the SeventhQueen vendor channel for a patched release and apply it immediately.
Workarounds
- Deactivate the Kleo theme until a patched version is available and switch to a default WordPress theme
- Restrict access to the WordPress admin and theme endpoints using IP allow-listing or HTTP authentication
- Configure PHP open_basedir to limit file system access for the web server process to the WordPress directory
- Deploy WAF rules that block path traversal sequences and absolute paths in HTTP parameters
# Configuration example: restrict PHP file access with open_basedir
# Add to php.ini or a per-site PHP-FPM pool configuration
open_basedir = "/var/www/html/wordpress/:/tmp/"
# Example nginx rule to block path traversal in query strings
if ($args ~* "\.\./") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

