CVE-2025-68065
📋 TL;DR
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Hub Core plugin from LiquidThemes. Attackers can potentially read sensitive files or execute code depending on server configuration.
💻 Affected Systems
- LiquidThemes Hub Core WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data exfiltration, and website defacement.
Likely Case
Local file inclusion allowing reading of sensitive files like configuration files, logs, or database credentials.
If Mitigated
Limited impact if proper file permissions and security controls restrict file access and execution.
🎯 Exploit Status
Simple HTTP requests can trigger the vulnerability. Public proof-of-concept available through security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.9 or later
Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/hub-core/vulnerability/wordpress-hub-core-plugin-5-0-8-local-file-inclusion-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Hub Core plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 5.0.9+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the Hub Core plugin until patched
wp plugin deactivate hub-core
Restrict File Access
linuxSet strict file permissions on sensitive directories
chmod 640 wp-config.php
chmod 750 wp-content/plugins/hub-core/
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block file inclusion patterns
- Restrict plugin directory permissions and disable unnecessary PHP functions
🔍 How to Verify
Check if Vulnerable:
Check Hub Core plugin version in WordPress admin under Plugins → Installed PluginsCheck Version:
wp plugin get hub-core --field=versionVerify Fix Applied:
Confirm plugin version is 5.0.9 or higher after update📡 Detection & Monitoring
Log Indicators:
- Unusual file paths in PHP error logs
- Multiple requests to plugin files with path traversal parameters
Network Indicators:
- HTTP requests containing '../' or absolute paths in parameters
- Requests to hub-core plugin files with unusual parameters
SIEM Query:
web.url:*hub-core* AND (web.param:*../* OR web.param:*etc/passwd*)