CVE-2025-60056 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-60056?

CVE-2025-60056 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to include local PHP files through improper filename control in the Winger WordPress theme. Attackers can potentially read sensitive files or execute arbitrary code on the server. All WordPress sites using affected versions of the Winger theme are vulnerable.

📋 TL;DR

This vulnerability allows attackers to include local PHP files through improper filename control in the Winger WordPress theme. Attackers can potentially read sensitive files or execute arbitrary code on the server. All WordPress sites using affected versions of the Winger theme are vulnerable.

💻 Affected Systems

Products:

AncoraThemes Winger WordPress Theme

Versions: All versions up to and including 1.0.16

Operating Systems: Any OS running PHP and WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Winger theme active. PHP configuration may affect exploitability.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and website defacement.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials) and limited code execution.

🟢

If Mitigated

No impact if proper file permissions and web server configurations prevent file inclusion.

🌐 Internet-Facing: HIGH - WordPress themes are typically internet-facing and this vulnerability requires no authentication.

🏢 Internal Only: MEDIUM - Internal WordPress installations could still be exploited by internal attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests can trigger the vulnerability. Public exploit details are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.17 or later

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/winger/vulnerability/wordpress-winger-theme-1-0-16-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Check for Winger theme update. 4. Update to version 1.0.17 or later. 5. If no update available, deactivate and remove the theme.

🔧 Temporary Workarounds

Disable Winger Theme

all

Deactivate and remove the vulnerable theme immediately

wp theme deactivate winger
wp theme delete winger

PHP Configuration Hardening

linux

Restrict PHP file inclusion functions via php.ini

allow_url_include = Off
open_basedir = /var/www/html

🧯 If You Can't Patch

Replace Winger theme with alternative secure theme
Implement web application firewall rules to block LFI patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress theme version: wp theme list | grep winger

Check Version:

wp theme list | grep winger

Verify Fix Applied:

Confirm Winger theme version is 1.0.17 or higher: wp theme list | grep winger

📡 Detection & Monitoring

Log Indicators:

Unusual file include patterns in PHP error logs
HTTP requests with file path traversal parameters

Network Indicators:

HTTP requests containing '..', '/etc/passwd', or other file paths in parameters

SIEM Query:

source="web_logs" AND (uri="*..*" OR uri="*/etc/*" OR uri="*php://*" OR params="*file=*" OR params="*include=*")

📊 Metadata

CVE ID: CVE-2025-60056

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.17% exploit probability (37.5th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Theme/winger/vulnerability/wordpress-winger-theme-1-0-16-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60056, you might also want to check these: