CVE-2025-58901 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-58901?

CVE-2025-58901 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to include local PHP files through improper filename control in the Takeout WordPress theme. Attackers can read sensitive files like configuration files or potentially execute code. All WordPress sites using Takeout theme version 1.3.0 or earlier are affected.

📋 TL;DR

This vulnerability allows attackers to include local PHP files through improper filename control in the Takeout WordPress theme. Attackers can read sensitive files like configuration files or potentially execute code. All WordPress sites using Takeout theme version 1.3.0 or earlier are affected.

💻 Affected Systems

Products:

AncoraThemes Takeout WordPress Theme

Versions: All versions up to and including 1.3.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Takeout theme active. PHP configuration with allow_url_include disabled does not prevent local file inclusion.

📦 What is this software?

Takeout by Ancorathemes

View all CVEs affecting Takeout →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and website defacement.

🟠

Likely Case

Sensitive file disclosure including wp-config.php containing database credentials, potentially leading to database access.

🟢

If Mitigated

Limited impact if file permissions restrict sensitive files and web server runs with minimal privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and uses simple HTTP requests with path traversal.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.1 or later

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/takeout/vulnerability/wordpress-takeout-theme-1-3-0-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Update Takeout theme to version 1.3.1 or later. 4. Clear any caching plugins/CDN caches.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Switch to default WordPress theme until patch can be applied

wp theme activate twentytwentyfour

Web Application Firewall rule

all

Block requests containing path traversal sequences in theme parameters

🧯 If You Can't Patch

Implement strict file permissions (644 for files, 755 for directories)
Use web server configuration to block access to wp-config.php and other sensitive files

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes for Takeout theme version 1.3.0 or earlier

Check Version:

wp theme list --name=takeout --field=version

Verify Fix Applied:

Confirm Takeout theme version is 1.3.1 or later in WordPress admin

📡 Detection & Monitoring

Log Indicators:

HTTP requests with path traversal sequences (../) in theme-related parameters
Access to sensitive files like wp-config.php from web root

Network Indicators:

Unusual file read patterns from web server
Requests to theme files with parameter manipulation

SIEM Query:

web.access: *../* AND (url.path: *takeout* OR url.path: *theme*)

📊 Metadata

CVE ID: CVE-2025-58901

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.17% exploit probability (37.5th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Theme/takeout/vulnerability/wordpress-takeout-theme-1-3-0-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58901, you might also want to check these: