CVE-2025-67936 Overview
CVE-2025-67936 is a PHP Local File Inclusion (LFI) vulnerability in the Mikado-Themes Curly WordPress theme. The flaw stems from improper control of filename parameters used in PHP include or require statements [CWE-98]. Attackers can leverage the issue to load arbitrary local PHP files within the web server context, leading to information disclosure or code execution depending on accessible files. The vulnerability affects all Curly theme versions up to and including 3.3. Site operators running the affected theme should treat this as a remote-exploitable issue because no authentication is required, although the attack complexity is high.
Critical Impact
Unauthenticated attackers can include arbitrary local PHP files, compromising confidentiality, integrity, and availability of WordPress sites running the Curly theme.
Affected Products
- Mikado-Themes Curly (WordPress theme) versions up to and including 3.3
- WordPress installations using the qodeinteractive:curly theme component
- Any site bundling the vulnerable Curly theme files, even if not active
Discovery Timeline
- 2026-01-08 - CVE-2025-67936 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2025-67936
Vulnerability Analysis
The Curly theme contains a PHP file inclusion sink that fails to validate or sanitize attacker-controlled input before passing it to an include or require statement. This pattern is classified under [CWE-98], Improper Control of Filename for Include/Require Statement in PHP Program. Although the original CWE name references Remote File Inclusion, the Patchstack advisory confirms that exploitation is limited to Local File Inclusion in this case. Attackers can traverse the filesystem to load PHP files outside the intended directory. Successful inclusion executes the targeted file in the WordPress process context.
Root Cause
The root cause is missing allowlist validation on a filename parameter consumed by a PHP inclusion function. User-supplied input flows directly into a path used by include, include_once, require, or require_once without normalization against a fixed set of permitted templates. Path traversal sequences such as ../ are not stripped, and file extensions are not enforced.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to a Curly theme endpoint that accepts the vulnerable filename parameter. By supplying a traversal payload, the attacker forces PHP to include a local file of their choice. If the attacker can plant PHP content in any writable location, such as an uploads directory or a log file, inclusion of that file results in arbitrary code execution. The high attack complexity reflects the conditions required to convert local file disclosure into full code execution.
No public proof-of-concept code is available. See the Patchstack WordPress Vulnerability advisory for vendor-specific technical details.
Detection Methods for CVE-2025-67936
Indicators of Compromise
- HTTP requests to Curly theme PHP files containing ../, ..%2f, or null byte sequences in query parameters
- Web server access logs showing requests for sensitive paths such as /etc/passwd, wp-config.php, or files under wp-content/uploads/ referenced through theme parameters
- Unexpected PHP processes spawning shell utilities (sh, bash, curl, wget) from the WordPress worker user
- New or modified PHP files in wp-content/uploads/ or other writable directories
Detection Strategies
- Inspect web server logs for parameter values containing path traversal patterns directed at theme files under wp-content/themes/curly/
- Deploy a Web Application Firewall (WAF) rule blocking LFI payloads targeting WordPress theme endpoints
- Hash all PHP files in the Curly theme directory and alert on drift, since the theme should not write new PHP files at runtime
Monitoring Recommendations
- Monitor outbound network connections from the PHP-FPM or web server process for anomalous destinations
- Track file creation events in WordPress upload and cache directories using endpoint telemetry
- Alert on PHP error logs containing failed to open stream or include() warnings referencing unexpected paths
How to Mitigate CVE-2025-67936
Immediate Actions Required
- Identify all WordPress installations using the Curly theme and confirm the installed version
- Disable and remove the Curly theme if a patched version is not yet available from Mikado-Themes
- Restrict access to WordPress theme endpoints through a WAF until a fix is applied
- Audit wp-content/uploads/ and other writable directories for unauthorized PHP files
Patch Information
At the time of NVD publication, the advisory lists affected versions up to and including 3.3, with no fixed version explicitly identified. Site administrators should consult the Patchstack WordPress Vulnerability advisory and Mikado-Themes directly for the latest patched release and apply it immediately upon availability.
Workarounds
- Block requests containing path traversal sequences (../, ..%2f, %2e%2e%2f) at the WAF or reverse proxy layer
- Set open_basedir in php.ini to restrict PHP file access to the WordPress installation directory
- Disable execution of PHP files within wp-content/uploads/ using web server configuration rules
- Run WordPress under a least-privilege system account with read-only access to theme and core files where feasible
# Configuration example: restrict PHP open_basedir and block PHP execution in uploads (Apache)
# php.ini
open_basedir = "/var/www/html/:/tmp/"
# Apache .htaccess inside wp-content/uploads/
<FilesMatch "\.(php|php3|php4|php5|phtml)$">
Require all denied
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
