Login Sign Up

CVE-2025-60048

8.1 HIGH

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper input validation in the Tripster WordPress theme. Attackers can potentially read sensitive files or execute arbitrary code by manipulating file inclusion parameters. All WordPress sites using Tripster theme version 1.0.10 or earlier are affected.

💻 Affected Systems

Products:
  • Tripster WordPress Theme
Versions: All versions up to and including 1.0.10
Operating Systems: Any OS running PHP and WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with Tripster theme active. No special configuration needed.

📦 What is this software?

Tripster by Axiomthemes

View all CVEs affecting Tripster →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and website defacement.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials) and limited file system access.

🟢

If Mitigated

Limited impact with proper file permissions and security controls in place.

🌐 Internet-Facing: HIGH - WordPress themes are typically internet-facing and accessible to unauthenticated users.
🏢 Internal Only: LOW - This is primarily a web application vulnerability affecting public-facing WordPress sites.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP requests can trigger the vulnerability. Public exploit details are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.0.10

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/tripster/vulnerability/wordpress-tripster-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Update Tripster theme to latest version via WordPress admin panel. 2. Verify theme version is greater than 1.0.10. 3. Clear WordPress cache if applicable.

🔧 Temporary Workarounds

Disable Tripster Theme

all

Switch to a different WordPress theme temporarily

wp theme activate twentytwentyfour
wp theme deactivate tripster

Restrict PHP File Functions

linux

Disable dangerous PHP functions via php.ini

disable_functions = include,require,include_once,require_once

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block file inclusion patterns
  • Restrict file system permissions and implement strict input validation

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel for Tripster theme version. If version is 1.0.10 or lower, system is vulnerable.

Check Version:

wp theme list --name=tripster --fields=name,status,version

Verify Fix Applied:

Confirm Tripster theme version is greater than 1.0.10 in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file path parameters in HTTP requests
  • Multiple failed include/require attempts in PHP error logs

Network Indicators:

  • HTTP requests with file path parameters like ?file=../../etc/passwd
  • Unusual file inclusion patterns in web traffic

SIEM Query:

web.url:*file=* AND web.url:*../* AND web.status:200

📊 Metadata

CVE ID: CVE-2025-60048
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-98
EPSS Score: 0.05% exploit probability (15.5th percentile)
Published: December 18, 2025
Last Updated: January 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60048, you might also want to check these:

CVE-2025-25174 10.0

This CVE describes a PHP Local File Inclusion vulnerability in the BeeTeam368 Extensions WordPress p...

Same vulnerability type (CWE-98)
CVE-2025-49994 9.8

This vulnerability allows attackers to include local files on the server through improper filename c...

Same vulnerability type (CWE-98)
CVE-2025-50003 9.8

This vulnerability allows attackers to include local PHP files through improper filename control in ...

Same vulnerability type (CWE-98)