CVE-2025-68064 Overview
CVE-2025-68064 is a Local File Inclusion (LFI) vulnerability in the Goya Core WordPress plugin in versions prior to 1.0.9.4. The flaw allows authenticated users with the Contributor role to include arbitrary local files through unsanitized input handled by the plugin. The weakness is classified as [CWE-98], Improper Control of Filename for Include/Require Statement in PHP Program. Successful exploitation can lead to disclosure of sensitive server files and, depending on server configuration, execution of attacker-controlled PHP code. The vulnerability was published to the National Vulnerability Database (NVD) on 2026-06-26.
Critical Impact
Authenticated Contributor-level users can include local files on the server, exposing sensitive data and potentially achieving code execution within the WordPress environment.
Affected Products
- Goya Core WordPress plugin versions prior to 1.0.9.4
- WordPress sites permitting Contributor-role registration or accounts
- Hosting environments serving affected Goya Core installations
Discovery Timeline
- 2026-06-26 - CVE-2025-68064 published to NVD
- 2026-06-26 - Last updated in NVD database
Technical Details for CVE-2025-68064
Vulnerability Analysis
The vulnerability resides in the Goya Core plugin's handling of file path parameters supplied through PHP include or require statements. The plugin fails to properly validate or sanitize user-supplied input before passing it to file inclusion functions. An authenticated user with Contributor privileges can craft requests that traverse the local filesystem and load arbitrary files.
Local File Inclusion vulnerabilities in PHP applications commonly expose configuration files such as wp-config.php, log files, and other sensitive resources. When combined with log poisoning or session file manipulation, LFI flaws can escalate into remote code execution. The requirement for a Contributor account raises the exploitation bar but does not eliminate risk, since many WordPress sites allow open registration or delegate authoring to third parties.
Root Cause
The root cause is improper control of filename parameters passed to include/require statements, categorized under [CWE-98]. The plugin trusts input that should be validated against an allowlist of expected files. Without canonicalization, path traversal sequences such as ../ allow attackers to break out of the intended directory and reach arbitrary locations on the server.
Attack Vector
Exploitation requires network access to the WordPress site and a valid Contributor-level authenticated session. The attacker submits a crafted request to the vulnerable Goya Core endpoint containing a manipulated file path parameter. The plugin then evaluates the parameter within an include statement, causing the target file to be loaded and rendered in the response context. Refer to the Patchstack advisory for additional technical detail.
Detection Methods for CVE-2025-68064
Indicators of Compromise
- HTTP requests to Goya Core plugin endpoints containing path traversal sequences such as ../ or encoded variants like %2e%2e%2f
- Web server access logs showing Contributor accounts requesting file paths outside the plugin directory
- Unexpected include or require errors in PHP logs referencing files under /etc/, wp-config.php, or session directories
- New or modified files in WordPress upload directories following suspicious Contributor activity
Detection Strategies
- Inspect web application firewall (WAF) logs for path traversal patterns targeting Goya Core plugin URIs
- Correlate authentication events for Contributor-role users with subsequent file access anomalies
- Deploy static analysis rules on PHP includes to flag dynamic file loading without allowlist validation
- Review WordPress audit logs for unusual plugin parameter usage tied to low-privilege accounts
Monitoring Recommendations
- Enable verbose logging on PHP file inclusion operations and forward logs to a centralized SIEM for correlation
- Alert on repeated 500-series responses from Goya Core endpoints, which may indicate probing attempts
- Monitor for reads of sensitive files such as wp-config.php, /etc/passwd, and PHP session files by the web server process
How to Mitigate CVE-2025-68064
Immediate Actions Required
- Update the Goya Core plugin to version 1.0.9.4 or later on all affected WordPress installations
- Audit existing Contributor-role accounts and remove accounts that are not actively required
- Review web server and PHP error logs for evidence of prior exploitation attempts targeting the plugin
- Restrict WordPress registration settings to prevent unauthenticated creation of Contributor accounts
Patch Information
The vendor addressed the vulnerability in Goya Core version 1.0.9.4. Site administrators should apply the update through the WordPress plugin manager or by replacing the plugin files with the patched release. Details are available in the Patchstack advisory.
Workarounds
- Temporarily disable the Goya Core plugin until the patched version can be deployed
- Apply WAF rules that block path traversal sequences in requests to the plugin endpoints
- Configure PHP open_basedir restrictions to limit file inclusion to trusted directories
- Revoke Contributor privileges from untrusted users until the patch is applied
# Example: restrict PHP file access via open_basedir in php.ini
open_basedir = "/var/www/html/:/tmp/"
disable_functions = "exec,passthru,shell_exec,system"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

