Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64363

CVE-2025-64363: Kleo Theme PHP File Inclusion Vulnerability

CVE-2025-64363 is a PHP local file inclusion vulnerability in SeventhQueen Kleo theme versions before 5.5.0 that allows attackers to include malicious files. This article covers the technical details, impact, and mitigation.

Published:

CVE-2025-64363 Overview

CVE-2025-64363 is a PHP Local File Inclusion (LFI) vulnerability affecting the SeventhQueen Kleo WordPress theme. The flaw stems from improper control of filenames passed to PHP include or require statements [CWE-98]. Authenticated attackers with low privileges can exploit the issue over the network to include arbitrary local files. Successful exploitation can disclose sensitive configuration data, leak credentials, or lead to code execution when attackers control includable file content. The vulnerability affects all Kleo theme versions up to and including 5.5.0.

Critical Impact

Authenticated attackers can include arbitrary PHP files on the WordPress server, exposing sensitive data and potentially achieving code execution.

Affected Products

  • SeventhQueen Kleo WordPress Theme versions prior to 5.5.0
  • WordPress sites using the Kleo theme up to version 5.5.0
  • Any WordPress installation with the vulnerable Kleo theme active

Discovery Timeline

  • 2025-10-31 - CVE-2025-64363 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-64363

Vulnerability Analysis

The vulnerability resides in the Kleo theme's handling of file paths supplied to PHP include or require statements. The theme accepts user-controlled input that is concatenated into a file path without sufficient sanitization or allow-list validation. PHP then loads and executes the targeted file in the context of the WordPress process.

Although the advisory classifies the weakness as PHP Remote File Inclusion (RFI), the realized impact is Local File Inclusion (LFI). An attacker can traverse directories using sequences such as ../ to reach files outside the intended theme directory. Targets typically include wp-config.php, log files, and uploaded payloads that contain PHP code.

The attack requires low-privilege authentication, meaning any authenticated user role with access to the vulnerable endpoint can attempt exploitation. The EPSS score is 0.109% with a percentile of 28.66, indicating limited observed exploitation activity at this time.

Root Cause

The root cause is improper control of the filename argument used in a PHP include, include_once, require, or require_once statement. The theme fails to enforce an allow-list of permitted files or to canonicalize and validate the resulting path against an expected base directory.

Attack Vector

The attacker authenticates to the target WordPress site with low privileges and sends a crafted request to the vulnerable Kleo theme endpoint. The malicious parameter contains a relative or absolute path pointing to a sensitive file. PHP resolves the path and executes or returns the contents of the included file.

For technical details and proof-of-concept references, consult the Patchstack Vulnerability Report.

Detection Methods for CVE-2025-64363

Indicators of Compromise

  • HTTP requests to Kleo theme endpoints containing ../ sequences or absolute paths in query parameters
  • Access log entries referencing wp-config.php, /etc/passwd, or other sensitive system files in request parameters
  • Unexpected PHP errors in web server logs referencing include() or require() with unusual file paths
  • Unauthorized read of WordPress configuration data or sudden credential reuse following Kleo theme requests

Detection Strategies

  • Inspect web server access logs for requests targeting Kleo theme PHP files with suspicious file path parameters
  • Deploy web application firewall (WAF) rules that block path traversal patterns in WordPress theme parameters
  • Monitor PHP error logs for failed to open stream or No such file or directory messages tied to dynamic includes
  • Correlate low-privilege user sessions with anomalous file access patterns on theme endpoints

Monitoring Recommendations

  • Enable file integrity monitoring on wp-config.php and other WordPress configuration files
  • Alert on outbound connections from the web server process that follow successful theme requests
  • Track authentication events for low-privilege accounts that suddenly access theme administration endpoints
  • Forward WordPress and web server logs to a centralized SIEM for correlation and retention

How to Mitigate CVE-2025-64363

Immediate Actions Required

  • Update the SeventhQueen Kleo theme to a version later than 5.5.0 as soon as the vendor publishes a fix
  • Audit WordPress user accounts and remove or restrict low-privilege roles that are not required
  • Rotate WordPress secrets, database credentials, and API keys stored in wp-config.php if exploitation is suspected
  • Review web server access logs for prior exploitation attempts referencing Kleo theme paths

Patch Information

The vendor advisory tracked by Patchstack identifies all versions up to and including 5.5.0 as vulnerable. Site operators should monitor the Patchstack Vulnerability Report and the SeventhQueen vendor channel for a patched release and apply it immediately.

Workarounds

  • Deactivate the Kleo theme until a patched version is available and switch to a default WordPress theme
  • Restrict access to the WordPress admin and theme endpoints using IP allow-listing or HTTP authentication
  • Configure PHP open_basedir to limit file system access for the web server process to the WordPress directory
  • Deploy WAF rules that block path traversal sequences and absolute paths in HTTP parameters
bash
# Configuration example: restrict PHP file access with open_basedir
# Add to php.ini or a per-site PHP-FPM pool configuration
open_basedir = "/var/www/html/wordpress/:/tmp/"

# Example nginx rule to block path traversal in query strings
if ($args ~* "\.\./") {
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.