CVE-2025-54700

8.1 HIGH

📋 TL;DR

This vulnerability allows attackers to include local files on the server through PHP's include/require functions in the Makeaholic WordPress theme. Attackers can potentially read sensitive files or execute code by manipulating file paths. All WordPress sites using the Makeaholic theme version 1.8.4 or earlier are affected.

💻 Affected Systems

Products:
  • ThemeMove Makeaholic WordPress Theme
Versions: n/a through 1.8.4
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with Makeaholic theme active.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and website defacement.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials) and limited code execution.

🟢

If Mitigated

File read-only access if PHP execution is restricted in included files.

🌐 Internet-Facing: HIGH - WordPress themes are typically internet-facing and accessible to unauthenticated users.
🏢 Internal Only: MEDIUM - Internal WordPress installations could still be exploited by internal threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple path traversal or file inclusion payloads can exploit this vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.5 or later

Vendor Advisory: https://patchstack.com/database/wordpress/theme/makeaholic/vulnerability/wordpress-makeaholic-theme-1-8-4-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Update Makeaholic theme to version 1.8.5+ via WordPress admin panel. 2. Alternatively, download latest version from WordPress repository. 3. Replace theme files manually if auto-update fails.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Switch to a different WordPress theme until patch is applied

Restrict PHP file inclusion

linux

Add .htaccess rules to block file inclusion attempts

RewriteEngine On
RewriteCond %{QUERY_STRING} (.*)(include|require)(.*)php://(.*)
RewriteRule ^.*$ - [F,L]

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block file inclusion patterns
  • Restrict file system permissions and disable PHP execution in upload directories

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes for Makeaholic theme version 1.8.4 or earlier

Check Version:

grep -r "Version:" wp-content/themes/makeaholic/style.css

Verify Fix Applied:

Confirm Makeaholic theme version is 1.8.5+ in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • Unusual file path patterns in PHP error logs
  • Multiple 404 errors for non-existent theme files
  • include/require statements with suspicious parameters

Network Indicators:

  • HTTP requests with file path traversal in parameters
  • Requests to theme files with unusual query strings

SIEM Query:

source="web_logs" AND (uri="*makeaholic*" AND (query="*include*" OR query="*require*" OR query="*php://*"))

📊 Metadata

CVE ID: CVE-2025-54700
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-98
Published: August 14, 2025
Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54700, you might also want to check these:

CVE-2025-15368 8.8

The SportsPress WordPress plugin has a Local File Inclusion vulnerability in all versions up to 2.7....

Same vulnerability type (CWE-98)
CVE-2025-54701 8.1

This vulnerability allows attackers to include and execute local PHP files on servers running the Un...

Same vulnerability type (CWE-98)
CVE-2026-25027 7.5

This CVE describes a PHP Local File Inclusion vulnerability in the Unicamp WordPress theme. Attacker...

Same vulnerability type (CWE-98)