CVE-2025-60047 – This CVE describes a PHP Local File Inclusion v... (How to Fix)

📋 TL;DR

This CVE describes a PHP Local File Inclusion vulnerability in the IPharm WordPress theme. Attackers can include arbitrary local files through improper filename control in include/require statements, potentially leading to sensitive information disclosure or code execution. All WordPress sites using IPharm theme versions up to 1.2.3 are affected.

💻 Affected Systems

Products:

axiomthemes IPharm WordPress theme

Versions: All versions up to and including 1.2.3

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with IPharm theme active

📦 What is this software?

Ipharm by Axiomthemes

View all CVEs affecting Ipharm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and website defacement

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials) and limited code execution

🟢

If Mitigated

No impact if proper file permissions and web server configurations prevent file inclusion

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple path traversal or file inclusion payloads can exploit this vulnerability

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.2.3

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/ipharm/vulnerability/wordpress-ipharm-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Update IPharm theme to latest version via WordPress admin panel
2. Verify theme version is >1.2.3
3. Clear WordPress cache if applicable

🔧 Temporary Workarounds

Disable vulnerable theme

all

Switch to default WordPress theme until patch is applied

wp theme activate twentytwentyfour

Restrict PHP file functions

linux

Disable dangerous PHP functions via php.ini

disable_functions = include,require,include_once,require_once

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block file inclusion patterns
Restrict file system permissions and implement strict access controls

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes for IPharm theme version

Check Version:

wp theme list --field=name,status,version | grep ipharm

Verify Fix Applied:

Confirm theme version is >1.2.3 and test file inclusion attempts return errors

📡 Detection & Monitoring

Log Indicators:

Unusual file path requests in access logs
PHP include/require errors with suspicious paths

Network Indicators:

HTTP requests with ../ patterns or file inclusion parameters

SIEM Query:

source="web_access_logs" AND (uri="*../*" OR uri="*php://*" OR uri="*file=*")

📊 Metadata

CVE ID: CVE-2025-60047

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-98

EPSS Score: 0.05% exploit probability (15.5th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Theme/ipharm/vulnerability/wordpress-ipharm-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60047, you might also want to check these: