CVE-2025-68067
📋 TL;DR
This vulnerability allows attackers to include local files on the server through improper filename control in PHP's include/require statements. It affects WordPress sites using the Stockholm Core plugin, potentially leading to sensitive file disclosure or code execution. All sites running Stockholm Core version 2.4.6 or earlier are vulnerable.
💻 Affected Systems
- Select-Themes Stockholm Core
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through local file inclusion leading to remote code execution, data theft, and complete site takeover.
Likely Case
Sensitive file disclosure (configuration files, database credentials), limited code execution, and privilege escalation.
If Mitigated
Limited impact due to proper file permissions, web application firewalls, and restricted PHP functions.
🎯 Exploit Status
Exploitation requires knowledge of file paths but is straightforward once identified. Public proof-of-concept exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.7 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Stockholm Core plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.4.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Stockholm Core Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate stockholm-core
Web Application Firewall Rule
allBlock requests containing local file inclusion patterns
Add WAF rule to block requests with patterns like '../../', 'php://', 'file://' in parameters
🧯 If You Can't Patch
- Implement strict file permissions (config files should be 600, web directories 755)
- Deploy web application firewall with LFI protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Stockholm Core version <= 2.4.6Check Version:
wp plugin get stockholm-core --field=versionVerify Fix Applied:
Verify Stockholm Core plugin version is 2.4.7 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- HTTP requests with parameters containing '../../', 'file://', or unusual file paths
- PHP warnings about failed file inclusions
Network Indicators:
- Unusual GET/POST requests to WordPress admin-ajax.php or similar endpoints with file path parameters
SIEM Query:
source="web_logs" AND (uri="*admin-ajax.php*" OR uri="*wp-admin*" OR uri="*wp-json*") AND (param="*../../*" OR param="*file://*" OR param="*php://*")