CVE-2025-68544
Lifecycle Timeline
2Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.15.
Analysis
Local file inclusion (LFI) vulnerability in thembay Diza WordPress theme through version 1.3.15 allows unauthenticated attackers to read arbitrary files from the server filesystem via improper control of filename parameters in PHP include/require statements. The vulnerability affects all versions of Diza up to and including 1.3.15, with no public exploit code identified at time of analysis, though the low EPSS score (0.17%) suggests limited real-world exploitation probability despite the attack vector being remote and unauthenticated.
Technical Context
This vulnerability exploits CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program, a class of weakness where user-supplied input is passed unsanitized to PHP functions like include(), require(), include_once(), or require_once() without proper validation or whitelisting. The Diza theme (a WordPress theme by thembay) contains a parameter injection point that permits attackers to traverse directory paths or reference arbitrary files on the server. WordPress themes execute with the privileges of the web server process, allowing file access to sensitive configuration files, private keys, source code, and other resources accessible to that process. The vulnerability is classified as PHP Remote File Inclusion in the advisory, though the description correctly identifies it as local file inclusion, distinguishing it from true RFI which would load remote code.
Affected Products
The thembay Diza WordPress theme is affected in all versions from an unspecified baseline through version 1.3.15 inclusive. The vulnerability is documented in the Patchstack database for the WordPress Diza theme under their vulnerability tracking system. No CPE data is available in the provided references, but the Patchstack advisory identifies the product as 'WordPress/Theme/diza' as seen in the reference URL path.
Remediation
WordPress site administrators using the Diza theme must update to a patched version released after 1.3.15. The exact patched version number is not provided in the available data; administrators should check the thembay repository or WordPress.org theme directory for the latest available version and upgrade immediately. As an interim mitigation pending patching, disable or restrict access to the vulnerable theme functionality if possible, or implement web application firewall (WAF) rules to block common LFI payloads (directory traversal sequences such as ../ and protocol wrappers like file://, php://, etc.). For detailed guidance, refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/diza/vulnerability/wordpress-diza-theme-1-3-15-local-file-inclusion-vulnerability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today