CVE-2025-12549 – This CVE describes a PHP Local File Inclusion v... (How to Fix)

Q: What is the severity of CVE-2025-12549?

CVE-2025-12549 has a CVSS score of 9.8 (CRITICAL). This CVE describes a PHP Local File Inclusion vulnerability in the Rozy - Flower Shop WordPress theme. Attackers can include arbitrary local files via improper filename control in PHP include/require statements, potentially leading to code execution. All WordPress sites using Rozy theme versions up to and including 1.2.25 are affected.

📋 TL;DR

This CVE describes a PHP Local File Inclusion vulnerability in the Rozy - Flower Shop WordPress theme. Attackers can include arbitrary local files via improper filename control in PHP include/require statements, potentially leading to code execution. All WordPress sites using Rozy theme versions up to and including 1.2.25 are affected.

💻 Affected Systems

Products:

Rozy - Flower Shop WordPress Theme

Versions: n/a through <= 1.2.25

Operating Systems: All OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with vulnerable theme version active.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and website defacement.

🟠

Likely Case

Sensitive file disclosure (e.g., wp-config.php with database credentials) and limited code execution.

🟢

If Mitigated

No impact if proper file permissions and web server configurations prevent unauthorized file access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation typically requires sending crafted HTTP requests with file path parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: >1.2.25

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/rozy/vulnerability/wordpress-rozy-flower-shop-theme-1-2-25-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Update Rozy theme to latest version via WordPress admin panel. 2. Verify theme version is >1.2.25. 3. Clear any caching plugins/CDN.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Switch to default WordPress theme until patch is applied

wp theme activate twentytwentyfour

Restrict file access

linux

Configure web server to block access to sensitive PHP files

# Add to .htaccess for Apache:
<Files "*.php">
  Order Deny,Allow
  Deny from all
</Files>

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block LFI patterns
Restrict theme file permissions and disable unnecessary PHP functions

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes for Rozy theme version <=1.2.25

Check Version:

wp theme list --field=name,status,version | grep rozy

Verify Fix Applied:

Confirm theme version is >1.2.25 and test LFI payloads return errors

📡 Detection & Monitoring

Log Indicators:

HTTP requests with suspicious file path parameters (e.g., ../../../etc/passwd)
PHP include/require errors in web server logs

Network Indicators:

Unusual file path patterns in URL parameters
Requests to theme files with traversal sequences

SIEM Query:

source="web_access.log" AND (url="*../*" OR url="*php?file=*")

📊 Metadata

CVE ID: CVE-2025-12549

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

Published: January 8, 2026

Last Updated: February 6, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://patchstack.com/database/Wordpress/Theme/rozy/vulnerability/wordpress-rozy-flower-shop-theme-1-2-25-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12549, you might also want to check these: