CVE-2025-60063 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-60063?

CVE-2025-60063 has a CVSS score of 8.2 (HIGH). This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress Rosalinda theme users running versions up to and including 1.2.3, potentially leading to sensitive information disclosure or code execution.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress Rosalinda theme users running versions up to and including 1.2.3, potentially leading to sensitive information disclosure or code execution.

💻 Affected Systems

Products:

WordPress Rosalinda Theme

Versions: n/a through <= 1.2.3

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Rosalinda theme active. PHP configuration with allow_url_include disabled does not prevent local file inclusion.

📦 What is this software?

Rosalinda by Axiomthemes

View all CVEs affecting Rosalinda →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through local file inclusion leading to remote code execution, data theft, and complete system control.

🟠

Likely Case

Sensitive file disclosure (configuration files, credentials), limited code execution, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper file permissions, web server hardening, and security controls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of vulnerable endpoints but is straightforward once identified. Public exploit details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: >1.2.3

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/rosalinda/vulnerability/wordpress-rosalinda-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Check if Rosalinda theme version is <=1.2.3. 4. Update theme to latest version. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Temporarily switch to default WordPress theme until patch is applied

wp theme activate twentytwentyfour

Restrict file access

linux

Implement web server restrictions to prevent access to sensitive directories

# Apache: Add to .htaccess
<FilesMatch "\.(php|inc|conf|config)$">
  Order Deny,Allow
  Deny from all
</FilesMatch>

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block file inclusion patterns
Restrict PHP execution in upload directories and implement strict file permission controls

🔍 How to Verify

Check if Vulnerable:

Check WordPress theme version in Appearance > Themes or via wp-cli: wp theme list --field=name,status,version

Check Version:

wp theme list --field=name,version | grep rosalinda

Verify Fix Applied:

Confirm Rosalinda theme version is >1.2.3 and test vulnerable endpoints are no longer accessible

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in web server logs
PHP include/require errors with suspicious file paths
Multiple requests to theme files with parameter manipulation

Network Indicators:

HTTP requests with file path traversal patterns in parameters
Requests to theme files with unusual file extensions

SIEM Query:

source="web_server" AND (uri="*rosalinda*" AND (param="*../*" OR param="*php://*" OR param="*file=*"))

📊 Metadata

CVE ID: CVE-2025-60063

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-98

EPSS Score: 0.06% exploit probability (19th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Theme/rosalinda/vulnerability/wordpress-rosalinda-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60063, you might also want to check these: