CVE-2025-67955 – This vulnerability allows attackers to include ... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to include local PHP files through improper filename control in the MyHome Core WordPress plugin. Attackers can potentially read sensitive files or execute arbitrary code by manipulating file inclusion parameters. All WordPress sites using MyHome Core plugin versions up to and including 4.1.0 are affected.

💻 Affected Systems

Products:

TangibleWP MyHome Core WordPress Plugin

Versions: All versions up to and including 4.1.0

Operating Systems: Any OS running PHP and WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with MyHome Core plugin active

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and website defacement

🟠

Likely Case

Local file inclusion allowing sensitive file disclosure (configuration files, credentials) and limited code execution

🟢

If Mitigated

Information disclosure limited to web-accessible files if proper file permissions are configured

🌐 Internet-Facing: HIGH - WordPress plugins are typically internet-facing and this vulnerability requires no authentication

🏢 Internal Only: MEDIUM - Internal systems could still be targeted through phishing or compromised internal accounts

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests can trigger the vulnerability without authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.1 or later

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/myhome-core/vulnerability/wordpress-myhome-core-plugin-4-1-0-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find MyHome Core plugin
4. Click 'Update Now' if update available
5. If no update available, download version 4.1.1+ from WordPress repository
6. Deactivate old version, upload new version, activate

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate myhome-core

Restrict PHP File Inclusion

linux

Add .htaccess rules to restrict file inclusion patterns

# Add to .htaccess in WordPress root:
<FilesMatch "\.(php|inc)$">
    Order Deny,Allow
    Deny from all
</FilesMatch>

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block file inclusion patterns
Restrict file system permissions and implement strict file upload controls

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > MyHome Core version. If version is 4.1.0 or lower, you are vulnerable.

Check Version:

wp plugin get myhome-core --field=version

Verify Fix Applied:

Verify MyHome Core plugin version is 4.1.1 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual file inclusion patterns in PHP error logs
HTTP requests with suspicious file parameters to plugin endpoints

Network Indicators:

HTTP requests containing file inclusion patterns (../, /etc/passwd, etc.) to MyHome Core plugin URLs

SIEM Query:

source="web_logs" AND (uri="*myhome-core*" AND (params="*../*" OR params="*/etc/*" OR params="*php://*"))

📊 Metadata

CVE ID: CVE-2025-67955

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-98

EPSS Score: 0.06% exploit probability (17.4th percentile)

Published: January 22, 2026

Last Updated: January 29, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/myhome-core/vulnerability/wordpress-myhome-core-plugin-4-1-0-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67955, you might also want to check these: