Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-69125

CVE-2025-69125: Food Drop Path Traversal Vulnerability

CVE-2025-69125 is an unauthenticated local file inclusion flaw in Food Drop plugin versions 1.3 and earlier that allows attackers to access sensitive files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-69125 Overview

CVE-2025-69125 is an unauthenticated Local File Inclusion (LFI) vulnerability affecting the Food Drop WordPress theme in versions up to and including 1.3. The flaw is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). Remote attackers can include arbitrary local files without authentication, leading to disclosure of sensitive configuration data and, depending on server configuration, remote code execution. Patchstack assigned this issue a high severity rating based on the impact to confidentiality, integrity, and availability.

Critical Impact

Unauthenticated attackers can include arbitrary PHP files from the WordPress host, exposing credentials in wp-config.php and potentially achieving code execution through log poisoning or upload chaining.

Affected Products

  • Food Drop WordPress theme versions <= 1.3
  • WordPress sites with the vulnerable theme active or installed
  • Hosting environments running PHP with allow_url_include or permissive file system access

Discovery Timeline

  • 2026-06-17 - CVE-2025-69125 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-69125

Vulnerability Analysis

The Food Drop theme accepts user-controlled input that is passed to a PHP file inclusion function such as include, require, include_once, or require_once without proper validation. Because the parameter is reachable over the network and requires no authentication, any unauthenticated visitor can manipulate the path argument to load files outside the intended template directory.

LFI vulnerabilities of this type typically allow attackers to read PHP source, configuration files, and operating system files accessible to the web server user. When combined with log files, session files, or uploaded media, the same primitive frequently escalates to arbitrary PHP execution within the WordPress process.

Root Cause

The root cause is improper control of a filename used in a PHP include statement, mapped to [CWE-98]. The theme concatenates an attacker-controlled value into the path argument of an include function without canonicalization, allow-listing, or extension validation. Path traversal sequences such as ../ and absolute paths are not stripped before the file system call.

Attack Vector

The attack vector is network-based and unauthenticated. An attacker issues an HTTP request to a vulnerable theme endpoint with a crafted parameter pointing to a target file. The PHP runtime resolves the path and executes or returns the file contents. High attack complexity reflects the need to identify a writable or executable file path for full compromise, but file disclosure is straightforward.

No verified public proof-of-concept is referenced in the available data. Technical details are documented in the Patchstack advisory.

Detection Methods for CVE-2025-69125

Indicators of Compromise

  • HTTP requests to Food Drop theme endpoints containing path traversal sequences such as ../, ..%2f, or ....//
  • Requests with parameters referencing sensitive files including wp-config.php, /etc/passwd, or /proc/self/environ
  • Unexpected PHP errors in web server logs referencing include() or require() with attacker-controlled paths
  • Outbound connections or new admin user creation following suspicious theme requests

Detection Strategies

  • Inspect web server access logs for GET or POST parameters containing encoded traversal patterns directed at /wp-content/themes/food-drop/
  • Deploy WAF rules that flag null bytes, double-encoded slashes, and absolute paths in query parameters
  • Audit installed WordPress themes for the Food Drop theme at version <= 1.3

Monitoring Recommendations

  • Forward WordPress, PHP-FPM, and web server logs to a centralized analytics platform for correlation
  • Alert on reads of wp-config.php or file system paths outside the document root by the web server user
  • Track theme and plugin inventory changes across WordPress fleets to detect vulnerable installations

How to Mitigate CVE-2025-69125

Immediate Actions Required

  • Deactivate and remove the Food Drop theme on any site running version 1.3 or earlier until a fixed release is verified
  • Review WordPress and PHP error logs for prior exploitation attempts referencing theme files
  • Rotate any secrets stored in wp-config.php, including database credentials and authentication keys, if exposure is suspected
  • Audit administrator accounts and scheduled tasks for unauthorized additions

Patch Information

No fixed version is listed in the available CVE data. Refer to the Patchstack advisory for vendor patch status. Until a vendor-supplied fix is confirmed, treat the theme as actively vulnerable.

Workarounds

  • Replace the Food Drop theme with an alternative theme that does not exhibit the LFI behavior
  • Set allow_url_include = Off and open_basedir restrictions in php.ini to limit file inclusion scope
  • Apply WAF virtual patches that block traversal sequences and absolute paths in requests targeting theme directories
  • Restrict file permissions so the web server user cannot read sensitive files outside the WordPress installation
bash
# Configuration example: php.ini hardening
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.