CVE-2025-60046 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-60046?

CVE-2025-60046 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress HeartStar theme users running versions up to and including 1.0.14, potentially leading to sensitive file disclosure or code execution.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress HeartStar theme users running versions up to and including 1.0.14, potentially leading to sensitive file disclosure or code execution.

💻 Affected Systems

Products:

WordPress HeartStar Theme

Versions: n/a through <= 1.0.14

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with HeartStar theme active.

📦 What is this software?

Heartstar by Axiomthemes

View all CVEs affecting Heartstar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through local file inclusion leading to remote code execution, sensitive data exposure, and complete system takeover.

🟠

Likely Case

Sensitive file disclosure (configuration files, credentials), limited code execution, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper file permissions, web server restrictions, and security controls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests can trigger the vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: >1.0.14

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/heartstar/vulnerability/wordpress-heartstar-theme-1-0-14-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Update HeartStar theme to latest version via WordPress admin panel. 2. Verify theme version is >1.0.14. 3. Clear any caching mechanisms.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Switch to default WordPress theme until patch is applied

wp theme activate twentytwentyfour

Restrict PHP file inclusion

linux

Configure PHP to disable dangerous functions and restrict file inclusion paths

php_admin_value open_basedir /var/www/html
php_admin_value allow_url_include Off

🧯 If You Can't Patch

Implement web application firewall with LFI protection rules
Restrict file permissions and implement strict access controls on sensitive directories

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes for HeartStar version <=1.0.14

Check Version:

wp theme list --field=name,status,version | grep heartstar

Verify Fix Applied:

Confirm HeartStar theme version >1.0.14 in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual file path patterns in web server logs
Multiple requests to theme files with path traversal parameters

Network Indicators:

HTTP requests containing '../' or similar path traversal sequences to theme files

SIEM Query:

source="web_server" AND (uri="*heartstar*" AND (uri="*../*" OR uri="*..\\*"))

📊 Metadata

CVE ID: CVE-2025-60046

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-98

EPSS Score: 0.05% exploit probability (15.5th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Theme/heartstar/vulnerability/wordpress-heartstar-theme-1-0-14-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60046, you might also want to check these: