CVE-2025-60050 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-60050?

CVE-2025-60050 has a CVSS score of 8.2 (HIGH). This vulnerability allows attackers to include local files on the server through improper filename control in PHP's include/require statements. It affects WordPress Panda theme users running versions up to and including 1.21, potentially leading to sensitive information disclosure or code execution.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper filename control in PHP's include/require statements. It affects WordPress Panda theme users running versions up to and including 1.21, potentially leading to sensitive information disclosure or code execution.

💻 Affected Systems

Products:

WordPress Panda Theme

Versions: n/a through <= 1.21

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Panda theme active. PHP configuration with allow_url_include disabled does not prevent local file inclusion.

📦 What is this software?

Panda by Axiomthemes

View all CVEs affecting Panda →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through local file inclusion leading to remote code execution, sensitive file access (like /etc/passwd, database credentials), and complete website takeover.

🟠

Likely Case

Sensitive information disclosure (configuration files, credentials), limited file system access, and potential privilege escalation through included PHP files.

🟢

If Mitigated

Limited impact with proper file permissions, web server restrictions, and security modules like mod_security in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests can trigger the vulnerability. Public exploit details available through security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 1.21

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/panda/vulnerability/wordpress-panda-theme-1-21-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Update Panda theme to latest version via WordPress admin panel. 2. Verify theme version is >1.21. 3. Clear any caching plugins. 4. Test functionality.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Switch to default WordPress theme until patch is applied

wp theme activate twentytwentyfour

Web Application Firewall rules

linux

Block requests containing local file inclusion patterns

mod_security rules blocking ../ patterns and file:// URIs

🧯 If You Can't Patch

Implement strict file permissions (644 for files, 755 for directories)
Deploy web application firewall with LFI protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes for Panda theme version <=1.21

Check Version:

wp theme list --field=name,status,version | grep panda

Verify Fix Applied:

Confirm Panda theme version >1.21 in WordPress admin and test theme functionality

📡 Detection & Monitoring

Log Indicators:

HTTP requests with ../ sequences
PHP include/require errors in web server logs
Access to sensitive files like wp-config.php

Network Indicators:

HTTP GET requests with file inclusion parameters
Unusual file paths in URL parameters

SIEM Query:

source="web_logs" AND (uri="*../*" OR uri="*file=*" OR uri="*include=*")

📊 Metadata

CVE ID: CVE-2025-60050

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-98

EPSS Score: 0.06% exploit probability (19th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Theme/panda/vulnerability/wordpress-panda-theme-1-21-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60050, you might also want to check these: