CVE-2025-60066 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-60066?

CVE-2025-60066 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to include local PHP files through improper filename control in the Katelyn WordPress theme. Attackers can potentially read sensitive files or execute arbitrary code on affected WordPress installations. All WordPress sites using Katelyn theme versions up to and including 1.0.10 are affected.

📋 TL;DR

This vulnerability allows attackers to include local PHP files through improper filename control in the Katelyn WordPress theme. Attackers can potentially read sensitive files or execute arbitrary code on affected WordPress installations. All WordPress sites using Katelyn theme versions up to and including 1.0.10 are affected.

💻 Affected Systems

Products:

axiomthemes Katelyn WordPress Theme

Versions: n/a through <= 1.0.10

Operating Systems: Any OS running PHP and WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Katelyn theme active. PHP configuration may affect exploitability.

📦 What is this software?

Katelyn by Axiomthemes

View all CVEs affecting Katelyn →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and website defacement.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials) and limited code execution.

🟢

If Mitigated

No impact if proper file permissions and web server configurations prevent file inclusion.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP requests to vulnerable endpoints. Public exploit details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: >1.0.10

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/katelyn/vulnerability/wordpress-katelyn-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Update Katelyn theme to latest version via WordPress admin panel. 2. Verify theme version is >1.0.10. 3. Clear any caching plugins/CDN.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Switch to default WordPress theme until patch is applied

wp theme activate twentytwentyfour

Web Application Firewall rule

all

Block requests containing local file inclusion patterns

🧯 If You Can't Patch

Implement strict file permissions (644 for files, 755 for directories)
Use web server configuration to restrict PHP file inclusion (disable allow_url_include)

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes for Katelyn theme version <=1.0.10

Check Version:

wp theme list --field=name,status,version | grep katelyn

Verify Fix Applied:

Verify theme version is >1.0.10 and test vulnerable endpoints with controlled payloads

📡 Detection & Monitoring

Log Indicators:

HTTP requests with suspicious file paths in parameters
PHP include/require errors in web server logs

Network Indicators:

Unusual file path patterns in HTTP GET/POST parameters
Requests to theme-specific endpoints with file parameters

SIEM Query:

source="web_access.log" AND (uri="*katelyn*" AND (param="*../*" OR param="*php://*" OR param="*file=*"))

📊 Metadata

CVE ID: CVE-2025-60066

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-98

EPSS Score: 0.05% exploit probability (15.5th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Theme/katelyn/vulnerability/wordpress-katelyn-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60066, you might also want to check these: