CVE-2025-64364 Overview
CVE-2025-64364 is a Local File Inclusion (LFI) vulnerability in the StylemixThemes MasterStudy WordPress theme. The flaw stems from improper control of filename parameters used in PHP include or require statements, classified under [CWE-98]. Authenticated attackers with low privileges can manipulate file path parameters to include arbitrary PHP files from the local filesystem. All MasterStudy theme versions up to and including 4.8.126 are affected.
Critical Impact
Authenticated attackers can read sensitive files, execute embedded PHP code, and potentially achieve remote code execution by including attacker-controlled files already present on the server.
Affected Products
- StylemixThemes MasterStudy WordPress theme versions through 4.8.126
- WordPress installations using the vulnerable MasterStudy theme
- Learning Management System (LMS) deployments built on MasterStudy
Discovery Timeline
- 2025-10-31 - CVE-2025-64364 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-64364
Vulnerability Analysis
The vulnerability is a PHP Local File Inclusion flaw within the MasterStudy theme codebase. User-supplied input flows into a PHP include or require statement without sufficient sanitization or allow-listing. An attacker with low-privilege authenticated access on the WordPress site can supply crafted filename values that resolve to arbitrary local paths.
When the included file contains PHP code, the server executes that code in the context of the web application. When it points to a static file such as wp-config.php, the attacker can disclose database credentials, authentication keys, and salts. The issue is tracked under [CWE-98] (Improper Control of Filename for Include/Require Statement in PHP Program). EPSS data places the current exploitation probability at 0.109%.
Root Cause
The root cause is the use of unvalidated request parameters as filesystem paths inside dynamic PHP file inclusion calls. The theme does not enforce a strict allow-list of permitted include targets and does not canonicalize paths before resolving them. Path traversal sequences and absolute paths are therefore honored by the inclusion logic.
Attack Vector
The vulnerability is reachable over the network through standard HTTP(S) requests to the WordPress site. Exploitation requires a valid authenticated session at a low privilege level and a crafted request targeting the vulnerable inclusion endpoint. Attack complexity is higher because the attacker must identify a usable local file whose contents either disclose sensitive data or contain PHP that executes when included, such as poisoned log files or uploaded media.
No verified public exploit code is available for CVE-2025-64364 at this time. Refer to the Patchstack advisory for vendor-coordinated details.
Detection Methods for CVE-2025-64364
Indicators of Compromise
- HTTP request parameters containing path traversal sequences such as ../, encoded variants like %2e%2e%2f, or absolute paths to files like /etc/passwd or wp-config.php.
- Unexpected PHP error log entries referencing include(), require(), or failed to open stream for paths outside the theme directory.
- Web server access logs showing low-privilege authenticated users issuing repeated requests to MasterStudy theme endpoints with unusual file, template, or path parameters.
Detection Strategies
- Inspect WordPress access logs for requests to MasterStudy endpoints carrying filename-like parameters and traversal patterns.
- Deploy a Web Application Firewall (WAF) rule set that flags LFI signatures targeting PHP include parameters.
- Correlate authenticated low-privilege user activity with PHP file-system access anomalies on the host.
Monitoring Recommendations
- Monitor file integrity on wp-config.php, theme directories, and the WordPress uploads folder for unauthorized reads or writes.
- Alert on PHP processes spawning unexpected child processes such as shells, which may indicate post-LFI code execution.
- Track failed and successful logins for subscriber and contributor accounts that subsequently access theme endpoints.
How to Mitigate CVE-2025-64364
Immediate Actions Required
- Update the StylemixThemes MasterStudy theme to a version later than 4.8.126 as soon as the vendor patch is available.
- Audit WordPress user accounts and revoke unused low-privilege accounts that could be abused for authenticated exploitation.
- Rotate WordPress secrets in wp-config.php and database credentials if compromise is suspected.
Patch Information
The vulnerability affects MasterStudy versions up to and including 4.8.126. Consult the Patchstack vulnerability report for the fixed version and vendor remediation guidance.
Workarounds
- Restrict MasterStudy theme endpoints behind a WAF policy that blocks path traversal patterns and absolute paths in request parameters.
- Set the PHP open_basedir directive to constrain file inclusion to the WordPress installation directory.
- Disable or limit user registration and remove low-privilege accounts that are not strictly required for site operation.
# Example php.ini hardening to limit file inclusion scope
open_basedir = "/var/www/html/:/tmp/"
allow_url_include = Off
allow_url_fopen = Off
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
