CVE-2025-67936
📋 TL;DR
This CVE describes a PHP Local File Inclusion vulnerability in the Curly WordPress theme by Mikado-Themes. Attackers can include arbitrary local files through improper filename control in PHP include/require statements, potentially leading to sensitive information disclosure or code execution. WordPress sites using Curly theme versions before 3.3 are affected.
💻 Affected Systems
- Mikado-Themes Curly WordPress Theme
📦 What is this software?
Curly by Qodeinteractive
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through inclusion of malicious PHP files leading to remote code execution, data exfiltration, and complete site takeover.
Likely Case
Sensitive file disclosure (configuration files, database credentials, source code) and limited code execution within web server context.
If Mitigated
Information disclosure limited to publicly accessible files if proper file permissions and web server restrictions are in place.
🎯 Exploit Status
Simple path traversal or file inclusion payloads can trigger the vulnerability. Public exploit details available on security research sites.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3
Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/curly/vulnerability/wordpress-curly-theme-3-3-local-file-inclusion-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Find Curly theme and click 'Update Now' if update available. 4. If manual update needed, download version 3.3+ from Mikado-Themes, upload via FTP/SFTP replacing old files. 5. Clear any caching plugins/CDN caches.
🔧 Temporary Workarounds
Disable vulnerable theme
allSwitch to default WordPress theme until patched
wp theme activate twentytwentyfour
Restrict PHP file inclusion
linuxAdd web server rules to block suspicious include paths
# Apache: <LocationMatch "\.php$">
# php_admin_value open_basedir "/var/www/html:/tmp"
# </LocationMatch>
# Nginx: location ~ \.php$ {
# fastcgi_param PHP_ADMIN_VALUE "open_basedir=/var/www/html:/tmp";
# }
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block LFI patterns and path traversal attempts
- Restrict file permissions and implement strict open_basedir directives in PHP configuration
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Appearance > Themes for Curly theme version. If version is below 3.3, system is vulnerable.Check Version:
wp theme list --name=curly --field=versionVerify Fix Applied:
Confirm Curly theme version is 3.3 or higher in WordPress admin. Test with known safe LFI payloads to ensure they're blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual PHP include/require errors with path traversal patterns
- Access to sensitive files like /etc/passwd, wp-config.php in web logs
- Multiple 404 errors followed by successful file inclusion
Network Indicators:
- HTTP requests with ../ sequences in parameters
- Requests for PHP files with unusual query parameters containing file paths
SIEM Query:
source="web_access.log" AND (uri="*../*" OR uri="*php?file=*" OR uri="*php?page=*")