CVE-2025-60059 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-60059?

CVE-2025-60059 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress smartSEO theme users running versions up to and including 2.12, potentially leading to sensitive information disclosure or code execution.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress smartSEO theme users running versions up to and including 2.12, potentially leading to sensitive information disclosure or code execution.

💻 Affected Systems

Products:

WordPress smartSEO Theme

Versions: n/a through <= 2.12

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with smartSEO theme active. PHP configuration with allow_url_include disabled reduces but doesn't eliminate risk.

📦 What is this software?

Smartseo by Axiomthemes

View all CVEs affecting Smartseo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through local file inclusion leading to remote code execution, sensitive file disclosure (including configuration files with credentials), and complete system takeover.

🟠

Likely Case

Sensitive information disclosure (database credentials, configuration files), limited file read access, and potential privilege escalation through file manipulation.

🟢

If Mitigated

Limited impact with proper file permissions, web server restrictions, and PHP security settings preventing file inclusion outside web root.

🌐 Internet-Facing: HIGH - WordPress themes are typically internet-facing, and this vulnerability can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - Internal systems running vulnerable versions remain at risk from internal threats or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests can trigger the vulnerability. Public proof-of-concept exists on security research sites.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 2.12

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/smartSEO/vulnerability/wordpress-smart-seo-theme-2-12-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Check if smartSEO theme shows update available. 4. Update to latest version (>2.12). 5. Alternatively, replace with secure alternative theme.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Temporarily disable smartSEO theme until patched

wp theme deactivate smartSEO
wp theme activate twentytwentyfour

PHP configuration hardening

linux

Set PHP directives to restrict file inclusion

php_admin_value allow_url_include Off
php_admin_value open_basedir /var/www/html

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block file inclusion patterns
Restrict file permissions and implement strict access controls on sensitive directories

🔍 How to Verify

Check if Vulnerable:

Check WordPress theme version: wp theme list | grep smartSEO or inspect wp-content/themes/smartSEO/style.css version header

Check Version:

wp theme list --field=name,version | grep smartSEO

Verify Fix Applied:

Confirm theme version >2.12: wp theme list | grep smartSEO | grep -v '2.12'

📡 Detection & Monitoring

Log Indicators:

Unusual file include patterns in PHP error logs
HTTP requests with suspicious file parameters like ?file=../../../etc/passwd

Network Indicators:

HTTP requests containing path traversal sequences (../) in parameters
Unusual file read attempts from web server

SIEM Query:

source="web_server_logs" AND (uri="*..*" OR param="*..*") AND user_agent!="*bot*"

📊 Metadata

CVE ID: CVE-2025-60059

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.17% exploit probability (37.5th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Theme/smartSEO/vulnerability/wordpress-smart-seo-theme-2-12-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60059, you might also want to check these: