Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-69165

CVE-2025-69165: Choreo Path Traversal Vulnerability

CVE-2025-69165 is an unauthenticated path traversal flaw in Choreo versions 1.6 and earlier that enables local file inclusion attacks. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-69165 Overview

CVE-2025-69165 is an unauthenticated Local File Inclusion (LFI) vulnerability affecting the Choreo WordPress theme in versions 1.6 and earlier. The flaw maps to [CWE-98], improper control of filename for include/require statement in a PHP program. Remote attackers can include arbitrary local files through crafted requests without authentication. Successful exploitation can disclose sensitive configuration data, expose credentials stored in PHP files, and in certain configurations enable remote code execution by including attacker-controlled content. The vulnerability was published to the National Vulnerability Database (NVD) on 2026-06-17.

Critical Impact

Unauthenticated attackers can read arbitrary files from the WordPress server and, depending on environment configuration, escalate to remote code execution.

Affected Products

  • Choreo WordPress theme versions <= 1.6
  • WordPress installations using the vulnerable Choreo theme
  • Hosting environments running the affected theme on any PHP runtime

Discovery Timeline

  • 2026-06-17 - CVE-2025-69165 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-69165

Vulnerability Analysis

The Choreo theme contains an unauthenticated Local File Inclusion vulnerability classified under [CWE-98]. The vulnerable code path accepts user-controlled input and passes it to a PHP include, require, include_once, or require_once statement without proper validation. Attackers can manipulate this parameter to traverse the filesystem and include files outside the intended scope.

The attack requires no authentication and is delivered over the network. WordPress sites running the theme expose the vulnerable endpoint to any unauthenticated visitor. Once exploited, the attacker can read files such as wp-config.php, which contains database credentials and authentication keys.

In environments where attackers can influence file content on the server, such as uploaded session files, log files, or temporary directories, the LFI primitive can escalate to remote code execution. Patchstack categorizes this as a high-impact theme vulnerability.

Root Cause

The root cause is missing input validation on a parameter consumed by a PHP file inclusion function. The theme does not enforce an allowlist of permitted file names, does not normalize directory traversal sequences such as ../, and does not constrain inclusion to a specific directory.

Attack Vector

An attacker sends an HTTP request to the vulnerable theme endpoint with a manipulated parameter pointing to a target file path. The PHP runtime resolves the path and includes the file, returning its contents in the response or executing it as PHP. No credentials, cookies, or user interaction are required. Technical specifics are documented in the Patchstack WordPress Vulnerability Report.

Detection Methods for CVE-2025-69165

Indicators of Compromise

  • HTTP requests containing directory traversal sequences such as ../, ..%2f, or encoded variants in query parameters routed to Choreo theme files
  • Web server access logs showing requests referencing sensitive paths like wp-config.php, /etc/passwd, or /proc/self/environ
  • Outbound connections from the PHP-FPM or web server process to attacker infrastructure shortly after suspicious inclusion requests
  • Unexpected PHP error log entries referencing include() or require() failures with attacker-controlled paths

Detection Strategies

  • Inspect web access logs for query parameters containing path traversal patterns targeting the /wp-content/themes/choreo/ directory
  • Deploy web application firewall (WAF) rules that block traversal sequences and known LFI payloads against WordPress endpoints
  • Correlate file read events on wp-config.php and other sensitive files with the originating HTTP request to identify abuse
  • Run authenticated vulnerability scans across WordPress estates to enumerate sites using Choreo theme versions <= 1.6

Monitoring Recommendations

  • Enable PHP open_basedir enforcement and alert on violation entries in error logs
  • Monitor for child process creation from the web server user, which can indicate LFI-to-RCE escalation
  • Track integrity of WordPress theme directories and alert on unexpected file modifications

How to Mitigate CVE-2025-69165

Immediate Actions Required

  • Disable or remove the Choreo theme on any WordPress installation running version 1.6 or earlier until a fixed release is confirmed
  • Restrict access to the WordPress site behind a WAF with rules blocking path traversal and LFI payloads
  • Rotate database credentials, WordPress salts, and API keys stored in wp-config.php if exposure is suspected
  • Audit web server and PHP error logs for evidence of prior exploitation attempts

Patch Information

No vendor patch information is published in the NVD record at the time of writing. Refer to the Patchstack WordPress Vulnerability Report for the current remediation status and any fixed version released by the theme author.

Workarounds

  • Switch to an alternative, actively maintained WordPress theme until a patched Choreo release is available
  • Configure PHP open_basedir to confine file inclusion to the WordPress document root
  • Set allow_url_include = Off and allow_url_fopen = Off in php.ini to limit inclusion primitives
  • Deploy ModSecurity or equivalent WAF signatures targeting LFI patterns against the theme path
bash
# Configuration example
# php.ini hardening to reduce LFI impact
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"

# Example ModSecurity rule blocking traversal against the theme path
SecRule REQUEST_URI "@contains /wp-content/themes/choreo/" \
  "chain,deny,status:403,id:1006916501,msg:'CVE-2025-69165 LFI attempt'"
  SecRule ARGS "@rx (\.\./|\.\.%2f|%2e%2e/|/etc/passwd|wp-config\.php)" "t:lowercase,t:urlDecodeUni"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.