CVE-2025-24770
📋 TL;DR
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects all WordPress sites using BZOTheme CraftXtore theme versions up to 1.7, potentially leading to sensitive information disclosure or remote code execution.
💻 Affected Systems
- BZOTheme CraftXtore WordPress Theme
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through local file inclusion leading to remote code execution, data exfiltration, and complete system takeover.
Likely Case
Sensitive file disclosure (configuration files, credentials, database contents) and limited code execution within web server context.
If Mitigated
Limited impact if proper file permissions, web server hardening, and input validation are implemented.
🎯 Exploit Status
Exploitation requires no authentication and uses simple HTTP requests. Public proof-of-concept demonstrates file inclusion via crafted parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.7
Vendor Advisory: https://patchstack.com/database/wordpress/theme/bw-craftxtore/vulnerability/wordpress-craftxtore-1-7-local-file-inclusion-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Update CraftXtore theme to latest version via WordPress admin panel. 2. If update unavailable, remove theme completely. 3. Verify theme files are properly sanitized.
🔧 Temporary Workarounds
Disable vulnerable theme
allSwitch to default WordPress theme to remove vulnerable code
wp theme activate twentytwentyfour
wp theme delete craftxtore
Web Application Firewall rule
linuxBlock requests containing local file inclusion patterns
ModSecurity rule: SecRule ARGS "\.\./" "id:1001,phase:2,deny,status:403,msg:'Local File Inclusion attempt'
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user-controlled parameters
- Apply principle of least privilege to web server process and file system permissions
🔍 How to Verify
Check if Vulnerable:
Check WordPress theme version in Appearance > Themes or via wp cli: wp theme list --field=name,versionCheck Version:
wp theme list --field=name,version | grep craftxtoreVerify Fix Applied:
Confirm CraftXtore theme version is greater than 1.7 and test file inclusion attempts return proper errors📡 Detection & Monitoring
Log Indicators:
- HTTP requests with ../ patterns in parameters
- PHP include/require warnings for unexpected files
- Access to sensitive files like /etc/passwd in web logs
Network Indicators:
- Unusual file paths in GET/POST parameters
- Requests to theme-specific endpoints with traversal sequences
SIEM Query:
source="web_access.log" AND (uri="*../*" OR params="*../*")