Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-69112

CVE-2025-69112: Planty Path Traversal Vulnerability

CVE-2025-69112 is an unauthenticated local file inclusion flaw in Planty versions 1.14.0 and earlier that allows attackers to access sensitive files. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-69112 Overview

CVE-2025-69112 is an unauthenticated Local File Inclusion (LFI) vulnerability affecting the Planty WordPress theme in versions up to and including 1.14.0. The flaw is classified under CWE-98, Improper Control of Filename for Include/Require Statement in PHP Program. Attackers can reach the vulnerable code path over the network without authentication or user interaction. Successful exploitation allows attackers to include arbitrary local files, exposing sensitive configuration data and potentially enabling code execution when combined with file upload primitives.

Critical Impact

Unauthenticated remote attackers can include arbitrary server-side files through the Planty theme, leading to disclosure of credentials in wp-config.php and potential PHP code execution on affected WordPress sites.

Affected Products

  • Planty WordPress theme versions <= 1.14.0
  • WordPress sites running the Planty theme as an active or installed theme
  • Hosting environments that allow PHP include/require to resolve user-controlled paths

Discovery Timeline

  • 2026-06-17 - CVE-2025-69112 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-69112

Vulnerability Analysis

The Planty theme passes attacker-controlled input into a PHP file inclusion sink without adequate validation or path canonicalization. This pattern matches CWE-98, where a filename used in include, require, include_once, or require_once is influenced by external data. Because the endpoint is reachable without authentication, any unauthenticated visitor can trigger the inclusion logic. The attack complexity is rated high, indicating that exploitation requires specific conditions such as predictable file paths, particular server configurations, or non-default settings. The Patchstack advisory tracks the issue against Planty theme builds at or below version 1.14.0.

Root Cause

The root cause is improper neutralization of path traversal sequences and absolute path components in a filename parameter consumed by a PHP include statement. The theme does not enforce an allowlist of permitted templates and does not constrain inclusion to a fixed base directory. As a result, sequences such as ../ and absolute paths resolve to files outside the intended template directory.

Attack Vector

The vulnerability is exploited over the network against an HTTP endpoint exposed by the Planty theme. An unauthenticated attacker submits a crafted request containing a manipulated file path parameter. The PHP interpreter then loads and executes the referenced file in the context of the WordPress process. Targets typically include wp-config.php for credential disclosure, log files for log poisoning chains, and uploaded media when combined with a writable upload primitive.

No verified public proof-of-concept code is available at this time. Refer to the Patchstack Vulnerability Report for additional technical context.

Detection Methods for CVE-2025-69112

Indicators of Compromise

  • HTTP requests to Planty theme files containing path traversal sequences such as ../, ..%2f, or URL-encoded null bytes in query parameters.
  • Web server access logs showing requests that reference sensitive files such as wp-config.php, /etc/passwd, or PHP session files.
  • Unexpected PHP errors or warnings referencing include() or require() failures with attacker-controlled paths in error_log.

Detection Strategies

  • Inspect WordPress access logs for requests targeting Planty theme PHP files with parameters that contain file paths or traversal patterns.
  • Deploy web application firewall (WAF) rules that flag include parameters resolving outside the theme directory.
  • Correlate inclusion attempts with subsequent administrative logins to detect credential reuse following wp-config.php disclosure.

Monitoring Recommendations

  • Enable PHP open_basedir violation logging to surface attempts to read files outside the WordPress root.
  • Monitor file integrity on wp-config.php, theme files, and upload directories for unexpected reads and writes.
  • Alert on outbound traffic from the WordPress host to unknown destinations, which can indicate post-exploitation activity.

How to Mitigate CVE-2025-69112

Immediate Actions Required

  • Identify all WordPress installations running the Planty theme and confirm the installed version against 1.14.0.
  • Disable or uninstall the Planty theme until a vendor-patched release is available and verified.
  • Rotate WordPress database credentials, authentication keys, and salts defined in wp-config.php if exploitation is suspected.

Patch Information

At the time of publication, the Patchstack advisory is the authoritative reference for fix availability. Administrators should upgrade to any release later than 1.14.0 that explicitly addresses CVE-2025-69112 and validate the patch through the vendor changelog before redeploying the theme.

Workarounds

  • Block requests to vulnerable Planty endpoints at the WAF or reverse proxy layer using rules that reject traversal sequences in query parameters.
  • Restrict PHP file access using open_basedir to confine includes to the WordPress installation directory.
  • Disable PHP wrappers such as phar://, data://, and expect:// in php.ini to reduce the impact of inclusion primitives.
bash
# Example open_basedir restriction in php.ini for the WordPress vhost
open_basedir = "/var/www/wordpress/:/tmp/"
allow_url_include = Off
allow_url_fopen = Off

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.