CVE-2025-67935 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-67935?

CVE-2025-67935 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to include local PHP files on servers running the Optimize WordPress theme, potentially leading to remote code execution. It affects WordPress sites using the Optimize theme from Mikado-Themes. Attackers can exploit this without authentication if the vulnerable theme is installed.

📋 TL;DR

This vulnerability allows attackers to include local PHP files on servers running the Optimize WordPress theme, potentially leading to remote code execution. It affects WordPress sites using the Optimize theme from Mikado-Themes. Attackers can exploit this without authentication if the vulnerable theme is installed.

💻 Affected Systems

Products:

Mikado-Themes Optimize WordPress Theme

Versions: All versions before 2.4

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Optimize theme active.

📦 What is this software?

Optimize by Qodeinteractive

View all CVEs affecting Optimize →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through remote code execution, data theft, and complete site takeover.

🟠

Likely Case

Local file inclusion leading to sensitive file disclosure, limited code execution, or privilege escalation.

🟢

If Mitigated

Limited impact if file permissions are restrictive and web server runs with minimal privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests can trigger the vulnerability. Public exploit details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/optimizewp/vulnerability/wordpress-optimize-theme-2-4-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Update Optimize theme to version 2.4 or later. 4. Verify update completed successfully.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Switch to a different WordPress theme temporarily

wp theme activate twentytwentyfour

Restrict PHP file access

linux

Add .htaccess rules to block malicious file inclusion attempts

RewriteEngine On
RewriteCond %{QUERY_STRING} (.*)include(.*) [NC]
RewriteRule .* - [F,L]

🧯 If You Can't Patch

Remove or disable the Optimize theme completely
Implement web application firewall rules to block file inclusion patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress theme version in Appearance > Themes or use: wp theme list --field=name,version

Check Version:

wp theme list --field=name,status,version | grep -i optimize

Verify Fix Applied:

Confirm Optimize theme version is 2.4 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual PHP include/require statements in web logs
Requests with file path parameters to theme files
Multiple 500 errors from theme PHP files

Network Indicators:

HTTP requests containing 'include' or file path parameters to theme endpoints
Unusual traffic to theme-specific PHP files

SIEM Query:

source="web_logs" AND (uri="*optimize*" AND (param="*include*" OR param="*file*"))

📊 Metadata

CVE ID: CVE-2025-67935

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.17% exploit probability (37.5th percentile)

Published: January 8, 2026

Last Updated: February 3, 2026

🔗 References

https://patchstack.com/database/Wordpress/Theme/optimizewp/vulnerability/wordpress-optimize-theme-2-4-local-file-inclusion-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67935, you might also want to check these: