CVE-2025-14359

9.8 CRITICAL

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress Oshine theme installations, potentially leading to sensitive file disclosure or code execution. All users running Oshine theme versions up to and including 7.2.7 are vulnerable.

💻 Affected Systems

Products:
  • WordPress Oshine Theme
Versions: All versions up to and including 7.2.7
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with Oshine theme active. PHP configuration with allow_url_include disabled does not prevent local file inclusion.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through local file inclusion leading to remote code execution, sensitive data exposure, and complete system takeover.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials), limited code execution, and potential privilege escalation.

🟢

If Mitigated

Minimal impact with proper file permissions, web server hardening, and security controls in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept. No authentication required for basic file inclusion.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 7.2.8 or later

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/oshin/vulnerability/wordpress-oshine-theme-7-2-7-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Check for Oshine theme updates. 4. Update to version 7.2.8 or later. 5. Clear any caching plugins.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Temporarily switch to default WordPress theme until patch is applied

Restrict PHP file operations

linux

Configure PHP to restrict file inclusion operations via php.ini

allow_url_include = Off
open_basedir = /var/www/html

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block file inclusion patterns
  • Restrict file permissions and implement strict access controls on sensitive directories

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes for Oshine theme version. If version is 7.2.7 or earlier, system is vulnerable.

Check Version:

wp theme list --field=name,version --format=csv | grep oshine

Verify Fix Applied:

Confirm Oshine theme version is 7.2.8 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file path patterns in web server logs
  • Multiple requests to theme files with path traversal parameters
  • Failed attempts to access sensitive system files

Network Indicators:

  • HTTP requests containing '../' patterns in theme-related URLs
  • Requests to theme files with unusual file extensions

SIEM Query:

source="web_server" AND (url="*oshine*" AND (url="*../*" OR url="*php://*" OR url="*file=*"))

📊 Metadata

CVE ID: CVE-2025-14359
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-98
Published: January 8, 2026
Last Updated: February 6, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14359, you might also want to check these:

CVE-2025-12549 9.8

This CVE describes a PHP Local File Inclusion vulnerability in the Rozy - Flower Shop WordPress them...

Same vulnerability type (CWE-98)
CVE-2025-12550 9.8

This CVE describes a PHP Local File Inclusion vulnerability in the OchaHouse WordPress theme that al...

Same vulnerability type (CWE-98)
CVE-2025-14429 9.8

This vulnerability allows attackers to include local PHP files through improper filename control in ...

Same vulnerability type (CWE-98)