CVE-2025-69064 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-69064?

CVE-2025-69064 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to include local files on the server through PHP's include/require statements in the Pets Land WordPress theme. Attackers can potentially read sensitive files or execute code by manipulating file paths. All WordPress sites using Pets Land theme version 1.2.8 or earlier are affected.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through PHP's include/require statements in the Pets Land WordPress theme. Attackers can potentially read sensitive files or execute code by manipulating file paths. All WordPress sites using Pets Land theme version 1.2.8 or earlier are affected.

💻 Affected Systems

Products:

AncoraThemes Pets Land WordPress Theme

Versions: All versions up to and including 1.2.8

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Pets Land theme active. PHP configuration with allow_url_include disabled still vulnerable to local file inclusion.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and website defacement.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials) and limited code execution.

🟢

If Mitigated

File read attempts blocked, no code execution possible.

🌐 Internet-Facing: HIGH - WordPress themes are internet-facing by design and vulnerable to unauthenticated attacks.

🏢 Internal Only: MEDIUM - Internal systems could still be targeted through phishing or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple path traversal or parameter manipulation required. Exploit code likely circulating in security communities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.2.8

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/petsland/vulnerability/wordpress-pets-land-theme-1-2-8-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Check if Pets Land theme update is available. 4. Update to latest version. 5. If no update available, replace with patched version manually.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Switch to default WordPress theme until patch is available

wp theme activate twentytwentyfour

Web Application Firewall rule

linux

Block requests containing path traversal patterns in theme parameters

ModSecurity rule: SecRule ARGS "\.\./" "phase:2,deny,status:403,id:1001"

🧯 If You Can't Patch

Implement strict input validation on all file inclusion parameters
Apply principle of least privilege to web server user account

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes for Pets Land version <= 1.2.8

Check Version:

wp theme list --name=petsland --field=version

Verify Fix Applied:

Confirm theme version is > 1.2.8 and test file inclusion attempts return errors

📡 Detection & Monitoring

Log Indicators:

HTTP requests with ../ patterns in query strings
PHP warnings about failed file inclusions
Access to sensitive files like wp-config.php

Network Indicators:

Unusual file paths in GET parameters
Repeated requests to theme files with varying parameters

SIEM Query:

source="web_logs" AND (uri="*petsland*" AND (param="*../*" OR param="*php://*"))

📊 Metadata

CVE ID: CVE-2025-69064

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.15% exploit probability (35.8th percentile)

Published: January 22, 2026

Last Updated: January 29, 2026

🔗 References

https://patchstack.com/database/Wordpress/Theme/petsland/vulnerability/wordpress-pets-land-theme-1-2-8-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69064, you might also want to check these: