CVE-2025-67937 Overview
CVE-2025-67937 is a PHP Local File Inclusion (LFI) vulnerability affecting the Mikado-Themes Hendon WordPress theme by Qodeinteractive. The flaw stems from improper control of filename parameters used in PHP include or require statements [CWE-98]. Attackers can manipulate file path inputs to load arbitrary local PHP files on the server. The vulnerability affects all Hendon theme versions up to and including 1.7. Successful exploitation can lead to disclosure of sensitive files, execution of attacker-controlled PHP, and full compromise of the underlying WordPress site.
Critical Impact
Remote attackers can include arbitrary local PHP files, potentially leading to information disclosure and remote code execution on affected WordPress installations.
Affected Products
- Mikado-Themes Hendon WordPress Theme (versions through 1.7)
- Qodeinteractive Hendon (all versions prior to patched release)
- WordPress installations using vulnerable Hendon theme builds
Discovery Timeline
- 2026-01-08 - CVE-2025-67937 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2025-67937
Vulnerability Analysis
The Hendon theme accepts user-controllable input that flows into a PHP include or require statement without adequate validation or sanitization. This pattern, classified under [CWE-98], allows attackers to influence which file the PHP interpreter loads. Because the parameter is not constrained to a safe allow-list of resources, attackers can traverse the local filesystem and force inclusion of unintended PHP files.
When a vulnerable parameter is reached over the network, no authentication is required, and no user interaction is needed to trigger the flaw. The high attack complexity reflects conditions that the attacker must satisfy, such as crafting a valid path that resolves on the target system. Once inclusion succeeds, the PHP interpreter executes the included file in the context of the web server process.
Root Cause
The root cause is unsanitized user input being passed directly to a PHP file inclusion function. The theme does not enforce a strict allow-list, does not normalize paths, and does not validate that the requested resource resides within an expected directory. This violates secure coding practices for dynamic file inclusion in PHP.
Attack Vector
The vulnerability is exploitable over the network through crafted HTTP requests to a WordPress site running the Hendon theme. An unauthenticated attacker supplies a manipulated filename parameter that the theme passes to a PHP inclusion routine. Refer to the Patchstack WordPress Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-67937
Indicators of Compromise
- HTTP requests containing path traversal sequences such as ../ targeting Hendon theme PHP endpoints under /wp-content/themes/hendon/.
- Unexpected access patterns referencing local files like /etc/passwd, wp-config.php, or PHP session files via theme parameters.
- Web server logs showing repeated requests with suspicious file path values in query strings or POST bodies.
- Unexpected PHP file modifications or new files created within the WordPress installation directory.
Detection Strategies
- Inspect web server and WordPress logs for parameter values containing filesystem paths, null bytes, or traversal sequences directed at the Hendon theme.
- Deploy Web Application Firewall (WAF) rules that block LFI patterns in requests targeting /wp-content/themes/hendon/.
- Monitor PHP error logs for include/require warnings referencing unexpected file paths.
Monitoring Recommendations
- Alert on any read access to sensitive configuration files such as wp-config.php initiated by the web server process outside expected workflows.
- Track outbound connections from the WordPress host that follow suspicious inclusion attempts, which may indicate post-exploitation activity.
- Maintain file integrity monitoring across the WordPress document root and theme directories.
How to Mitigate CVE-2025-67937
Immediate Actions Required
- Identify all WordPress sites running the Mikado-Themes Hendon theme version 1.7 or earlier.
- Upgrade the Hendon theme to a fixed version once released by the vendor, per the Patchstack advisory.
- If no fix is yet available, disable or replace the Hendon theme with a supported alternative.
- Audit web server and WordPress logs for evidence of prior exploitation attempts.
Patch Information
At the time of NVD publication, the advisory lists the vulnerability as affecting Hendon versions up to and including 1.7. Administrators should consult the Patchstack WordPress Vulnerability Report and the Mikado-Themes vendor channels for the latest patched release and apply it across all affected sites.
Workarounds
- Apply WAF rules that block LFI payloads, including path traversal sequences and absolute filesystem paths, in requests to the Hendon theme.
- Restrict PHP open_basedir to the WordPress installation directory to limit which files the interpreter can include.
- Set allow_url_include to Off and allow_url_fopen to Off in php.ini to reduce inclusion-related attack surface.
- Remove or restrict access to vulnerable theme endpoints at the web server level until a patch is installed.
# Configuration example: harden php.ini against file inclusion abuse
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html/:/tmp/"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

