CVE-2025-67980 – This CVE describes a Local File Inclusion (LFI)... (How to Fix)

Q: What is the severity of CVE-2025-67980?

CVE-2025-67980 has a CVSS score of 8.1 (HIGH). This CVE describes a Local File Inclusion (LFI) vulnerability in the Hara WordPress theme that allows attackers to include arbitrary local files through improper filename control in PHP include/require statements. Attackers can potentially read sensitive files or execute code by including malicious files. This affects all WordPress sites using Hara theme version 1.2.17 and earlier.

📋 TL;DR

This CVE describes a Local File Inclusion (LFI) vulnerability in the Hara WordPress theme that allows attackers to include arbitrary local files through improper filename control in PHP include/require statements. Attackers can potentially read sensitive files or execute code by including malicious files. This affects all WordPress sites using Hara theme version 1.2.17 and earlier.

💻 Affected Systems

Products:

WordPress Hara Theme

Versions: n/a through <= 1.2.17

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Hara theme active. PHP configuration with allow_url_include disabled does not prevent LFI.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials, user data) and limited code execution within web server context.

🟢

If Mitigated

Limited information disclosure if file permissions are properly configured and web server runs with minimal privileges.

🌐 Internet-Facing: HIGH - WordPress themes are typically internet-facing and this vulnerability requires no authentication.

🏢 Internal Only: MEDIUM - Internal WordPress installations could still be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

LFI vulnerabilities are commonly exploited and weaponization is likely given the public disclosure and WordPress ecosystem.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: >1.2.17

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/hara/vulnerability/wordpress-hara-theme-1-2-17-local-file-inclusion-vulnerability-2?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Check if Hara theme update is available. 4. Update to latest version (>1.2.17). 5. If no update available, replace with secure alternative theme.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Switch to default WordPress theme or another secure theme

wp theme activate twentytwentyfour
wp theme delete hara

Web Application Firewall rules

linux

Block LFI attack patterns at WAF level

ModSecurity rule: SecRule ARGS "\.\./" "id:1001,phase:2,deny,status:403,msg:'Local File Inclusion attempt'

🧯 If You Can't Patch

Implement strict file permissions (chmod 600 for sensitive files, webroot outside document root)
Deploy web application firewall with LFI detection rules and restrict PHP file functions via disable_functions directive

🔍 How to Verify

Check if Vulnerable:

Check WordPress theme version: wp theme list | grep hara or inspect wp-content/themes/hara/style.css Version header

Check Version:

wp theme list --fields=name,status,version | grep hara

Verify Fix Applied:

Confirm theme version >1.2.17 and test LFI payloads return 403/404 errors instead of file contents

📡 Detection & Monitoring

Log Indicators:

HTTP requests with ../ patterns in parameters
Access to sensitive files like /etc/passwd, wp-config.php from web logs
PHP errors about failed include/require with unusual paths

Network Indicators:

Unusual file paths in URL parameters
Requests to theme files with parameter manipulation

SIEM Query:

source="web_access.log" AND (url="*../*" OR url="*..\\*" OR url="*etc/passwd*" OR url="*wp-config*" OR url="*theme=hara*")

📊 Metadata

CVE ID: CVE-2025-67980

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

Published: February 20, 2026

Last Updated: February 24, 2026

🔗 References

https://patchstack.com/database/Wordpress/Theme/hara/vulnerability/wordpress-hara-theme-1-2-17-local-file-inclusion-vulnerability-2?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67980, you might also want to check these: