CVE-2025-58889 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-58889?

CVE-2025-58889 has a CVSS score of 8.2 (HIGH). This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress Towny theme users running versions up to and including 1.16, potentially leading to information disclosure or code execution.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress Towny theme users running versions up to and including 1.16, potentially leading to information disclosure or code execution.

💻 Affected Systems

Products:

Towny WordPress Theme

Versions: n/a through <= 1.16

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Towny theme installed and activated.

📦 What is this software?

Towny by Axiomthemes

View all CVEs affecting Towny →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and website defacement.

🟠

Likely Case

Local file inclusion allowing sensitive file reading (configuration files, credentials) and limited code execution.

🟢

If Mitigated

Limited impact with proper file permissions and web server hardening, potentially only information disclosure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: >1.16

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/towny/vulnerability/wordpress-towny-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Check if Towny theme is installed. 4. If version is 1.16 or lower, update to latest version or replace with alternative theme. 5. Remove any unused Towny theme files.

🔧 Temporary Workarounds

Disable Towny Theme

all

Temporarily disable the vulnerable theme until patched

wp theme deactivate towny
wp theme activate twentytwentyfour

Restrict PHP File Functions

all

Modify php.ini to disable dangerous functions

disable_functions = allow_url_fopen,allow_url_include

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block file inclusion patterns
Restrict file permissions and implement strict directory traversal protections

🔍 How to Verify

Check if Vulnerable:

Check WordPress theme version in wp-content/themes/towny/style.css or via WordPress admin panel

Check Version:

grep 'Version:' wp-content/themes/towny/style.css

Verify Fix Applied:

Confirm Towny theme version is greater than 1.16 or theme is completely removed

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in PHP error logs
HTTP requests with file inclusion parameters like ?file=../../etc/passwd

Network Indicators:

HTTP requests containing ../ patterns or PHP wrapper strings

SIEM Query:

source="web_access_logs" AND (uri="*..*" OR uri="*php://*" OR uri="*file=*" OR uri="*include=*")

📊 Metadata

CVE ID: CVE-2025-58889

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-98

EPSS Score: 0.06% exploit probability (19th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Theme/towny/vulnerability/wordpress-towny-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58889, you might also want to check these: