CVE-2025-31064 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-31064?

CVE-2025-31064 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects all WordPress installations using the Vizeon - Business Consulting theme versions up to 1.1.7. Attackers can potentially read sensitive files or execute arbitrary code.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects all WordPress installations using the Vizeon - Business Consulting theme versions up to 1.1.7. Attackers can potentially read sensitive files or execute arbitrary code.

💻 Affected Systems

Products:

Vizeon - Business Consulting WordPress Theme

Versions: n/a through 1.1.7

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable theme active. PHP configuration with allow_url_include disabled does not prevent local file inclusion.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials, user data) and limited code execution within web server context.

🟢

If Mitigated

Limited information disclosure if file permissions are properly configured and web server runs with minimal privileges.

🌐 Internet-Facing: HIGH - WordPress themes are typically internet-facing and this vulnerability requires no authentication.

🏢 Internal Only: MEDIUM - Internal systems could still be targeted through phishing or compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests can trigger the vulnerability. Public exploit details are available on security research sites.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.8 or later

Vendor Advisory: https://patchstack.com/database/wordpress/theme/vizeon/vulnerability/wordpress-vizeon-business-consulting-1-1-7-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Update the Vizeon theme to version 1.1.8 or later via WordPress admin panel. 2. Alternatively, download the latest version from the theme repository and replace the existing theme files. 3. Clear any caching mechanisms after update.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Switch to a different WordPress theme until patch can be applied

wp theme activate twentytwentyfour --allow-root

Restrict PHP file inclusion

linux

Modify PHP configuration to restrict file inclusion paths

echo 'open_basedir = /var/www/html' >> /etc/php/8.2/fpm/php.ini
systemctl restart php8.2-fpm

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block file inclusion patterns
Restrict web server permissions to prevent reading sensitive files outside web root

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes for Vizeon theme version. If version is 1.1.7 or earlier, system is vulnerable.

Check Version:

wp theme list --field=name,status,version | grep vizeon

Verify Fix Applied:

Verify theme version shows 1.1.8 or later in WordPress admin. Test with known safe LFI payloads to confirm patched behavior.

📡 Detection & Monitoring

Log Indicators:

Unusual file paths in PHP error logs
Multiple requests to theme files with ../ patterns
Requests to wp-content/themes/vizeon with unusual parameters

Network Indicators:

HTTP requests containing ../ patterns targeting theme files
Unusual file extensions in URLs (e.g., .php?file=../../wp-config.php)

SIEM Query:

source="web_logs" AND (url="*vizeon*" AND (url="*../*" OR url="*..\\*" OR param="*file=*"))

📊 Metadata

CVE ID: CVE-2025-31064

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.16% exploit probability (36.7th percentile)

Published: May 23, 2025

Last Updated: May 23, 2025

🔗 References

https://patchstack.com/database/wordpress/theme/vizeon/vulnerability/wordpress-vizeon-business-consulting-1-1-7-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-31064, you might also want to check these: