CVE-2025-67955 Overview
CVE-2025-67955 is a PHP Local File Inclusion (LFI) vulnerability affecting the TangibleWP MyHome Core WordPress plugin. The vulnerability stems from improper control of filename parameters used in PHP include/require statements, allowing attackers to include arbitrary local files from the server filesystem. This type of vulnerability (CWE-98) can lead to sensitive information disclosure, and in some configurations, may be chained with other techniques to achieve remote code execution.
Critical Impact
Attackers can exploit this LFI vulnerability to read sensitive files from the WordPress installation, potentially exposing configuration files containing database credentials, API keys, and other sensitive data.
Affected Products
- TangibleWP MyHome Core plugin versions up to and including 4.1.0
- WordPress installations running vulnerable MyHome Core plugin versions
Discovery Timeline
- 2026-01-22 - CVE CVE-2025-67955 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2025-67955
Vulnerability Analysis
This vulnerability exists due to improper sanitization of user-controlled input that is passed to PHP's include() or require() functions within the MyHome Core plugin. When an application uses dynamic file paths based on user input without proper validation, attackers can manipulate the path to include unintended files from the local filesystem.
In the context of WordPress plugins, LFI vulnerabilities are particularly dangerous because they can be used to read the wp-config.php file, which contains database credentials and authentication keys. Additionally, if the server configuration allows, attackers may be able to leverage log file poisoning or other techniques to escalate the LFI to remote code execution.
The vulnerability classification as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) indicates that the plugin fails to properly restrict which files can be included through its functionality.
Root Cause
The root cause of this vulnerability is the insufficient validation and sanitization of file path parameters before they are used in PHP include or require statements. The MyHome Core plugin does not adequately restrict the files that can be loaded, allowing path traversal sequences (such as ../) or absolute paths to be injected by malicious users.
Attack Vector
An attacker can exploit this vulnerability by manipulating HTTP request parameters that control which files are loaded by the plugin. By crafting malicious input containing directory traversal sequences, the attacker can break out of the intended directory and include sensitive files from elsewhere on the server.
The attack typically involves:
- Identifying the vulnerable parameter that controls file inclusion
- Crafting a payload with path traversal sequences to navigate to sensitive files
- Submitting the malicious request to read arbitrary local files
For technical details on this vulnerability, refer to the Patchstack Vulnerability Report.
Detection Methods for CVE-2025-67955
Indicators of Compromise
- Unusual HTTP requests containing path traversal sequences (../, ..%2f) targeting the MyHome Core plugin endpoints
- Web server logs showing attempts to access sensitive files like wp-config.php or /etc/passwd
- Failed authentication attempts following successful LFI exploitation (indicating credential theft)
Detection Strategies
- Monitor web application firewall (WAF) logs for path traversal patterns in requests targeting /wp-content/plugins/myhome-core/ endpoints
- Implement file integrity monitoring on critical WordPress configuration files
- Review access logs for unusual file access patterns, particularly targeting files outside the web root
Monitoring Recommendations
- Enable detailed logging for the WordPress installation and PHP error logs
- Configure alerts for any requests containing common LFI payloads or path traversal patterns
- Monitor for unauthorized access to sensitive WordPress directories and configuration files
How to Mitigate CVE-2025-67955
Immediate Actions Required
- Update the MyHome Core plugin to a patched version as soon as one becomes available from TangibleWP
- Review web server access logs for any evidence of exploitation attempts
- Consider temporarily disabling the MyHome Core plugin until a patch is available if the site handles sensitive data
- Implement WAF rules to block common LFI attack patterns
Patch Information
Users should monitor the Patchstack Vulnerability Report for updates on patch availability. Contact TangibleWP support for information on security updates for MyHome Core versions above 4.1.0.
Workarounds
- Deploy a Web Application Firewall (WAF) with rules to detect and block path traversal attempts
- Restrict PHP's open_basedir configuration to limit which directories PHP can access
- Implement server-level access controls to protect sensitive files like wp-config.php
- Consider using WordPress security plugins that provide additional input validation and request filtering
# Example: Restrict PHP open_basedir in Apache configuration
# Add to virtual host or .htaccess
php_admin_value open_basedir /var/www/html/your-wordpress-site/
# Example: Block common LFI patterns in Apache .htaccess
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [NC]
RewriteRule .* - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
