Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67925

CVE-2025-67925: Corpkit PHP File Inclusion Vulnerability

CVE-2025-67925 is a PHP local file inclusion vulnerability in Corpkit by zozothemes, allowing attackers to include malicious files. This post covers technical details, affected versions through 2.0, and mitigation.

Updated:

CVE-2025-67925 Overview

CVE-2025-67925 is a PHP Local File Inclusion (LFI) vulnerability affecting the Corpkit WordPress theme developed by zozothemes. This vulnerability arises from improper control of filename for include/require statements in PHP, allowing attackers to include arbitrary local files on the server. By exploiting this flaw, malicious actors can potentially read sensitive configuration files, access credentials, or chain the vulnerability with other techniques to achieve more severe impacts such as remote code execution.

Critical Impact

Attackers can exploit this LFI vulnerability to read sensitive files from the WordPress server, potentially exposing database credentials, configuration files, and other sensitive data that could lead to full site compromise.

Affected Products

  • zozothemes Corpkit WordPress Theme version 2.0 and earlier
  • WordPress installations running vulnerable Corpkit theme versions

Discovery Timeline

  • 2026-01-08 - CVE CVE-2025-67925 published to NVD
  • 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-67925

Vulnerability Analysis

This vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The Corpkit WordPress theme fails to properly sanitize user-supplied input before using it in PHP file inclusion functions. This allows an attacker to manipulate file paths and include arbitrary local files from the server's filesystem.

The vulnerability can be exploited over the network and requires some user interaction. When successfully exploited, it can lead to significant confidentiality and integrity impacts, as attackers may be able to read sensitive files containing database credentials, API keys, or other configuration data. Additionally, by including files containing PHP code or leveraging log poisoning techniques, attackers could potentially escalate to remote code execution.

Root Cause

The root cause of this vulnerability lies in insufficient input validation and sanitization within the Corpkit theme's PHP code. The theme uses user-controllable input directly in include(), require(), include_once(), or require_once() statements without properly validating or restricting the file paths that can be accessed. This allows attackers to traverse directories and include files outside the intended scope.

Attack Vector

The attack is network-based and requires an attacker to craft malicious requests targeting the vulnerable file inclusion functionality. Typical exploitation involves:

  1. Identifying the vulnerable parameter or endpoint in the Corpkit theme
  2. Injecting path traversal sequences (e.g., ../) to navigate the filesystem
  3. Including sensitive files such as /etc/passwd, wp-config.php, or log files
  4. Potentially chaining with log poisoning or other techniques for code execution

The vulnerability can be exploited without authentication, though user interaction is required for successful exploitation. For detailed technical information, see the Patchstack Vulnerability Database Entry.

Detection Methods for CVE-2025-67925

Indicators of Compromise

  • Unusual HTTP requests containing path traversal sequences such as ../, ..%2f, or encoded variants targeting theme files
  • Access logs showing requests attempting to include system files like /etc/passwd, wp-config.php, or log files
  • Web application firewall logs indicating blocked LFI attempts against the Corpkit theme
  • Unexpected file access patterns in server logs from the WordPress installation directory

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block path traversal patterns in requests to WordPress theme files
  • Monitor server access logs for suspicious requests containing directory traversal sequences
  • Deploy file integrity monitoring to detect unauthorized access to sensitive configuration files
  • Utilize SIEM solutions to correlate and alert on potential LFI exploitation attempts

Monitoring Recommendations

  • Enable detailed logging for WordPress and web server access to capture all requests to theme files
  • Configure alerting for any access attempts to sensitive files such as wp-config.php from the Corpkit theme
  • Regularly review access logs for anomalous patterns indicative of LFI exploitation
  • Implement real-time monitoring for path traversal attempts in web traffic

How to Mitigate CVE-2025-67925

Immediate Actions Required

  • Immediately disable or remove the Corpkit theme if it is version 2.0 or earlier until a patched version is available
  • Switch to a secure alternative WordPress theme as a temporary measure
  • Implement web application firewall rules to block path traversal attempts
  • Review server logs for any evidence of prior exploitation attempts
  • Audit file permissions to ensure sensitive files have appropriate access restrictions

Patch Information

As of the last update, users should check the Patchstack Vulnerability Database Entry for the latest patch information and remediation guidance from zozothemes. Contact the theme vendor directly for information about updated versions that address this vulnerability.

Workarounds

  • Disable the Corpkit theme entirely and switch to an alternative theme until a patch is available
  • Implement strict input validation at the web server or reverse proxy level to block path traversal sequences
  • Configure PHP's open_basedir directive to restrict file access to the WordPress directory
  • Use a WAF to filter requests containing LFI patterns targeting the theme
bash
# Example Apache .htaccess rules to block common LFI patterns
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\.\./|\.\.%2f) [NC,OR]
    RewriteCond %{QUERY_STRING} (etc/passwd|wp-config\.php) [NC]
    RewriteRule .* - [F,L]
</IfModule>

# Example PHP open_basedir configuration in php.ini
# open_basedir = /var/www/html/wordpress/

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.