Diza WordPress Theme CVE-2025-68544
HIGHSeverity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.15.
AnalysisAI
Local File Inclusion (LFI) vulnerability in the Diza WordPress theme (≤1.3.15) enables low-privileged authenticated attackers to include arbitrary local files, potentially leading to remote code execution, sensitive data exposure, or complete site compromise. The CVSS score of 7.5 reflects high complexity network-based attack requiring authentication. EPSS exploitation probability is low (0.17%, 38th percentile), with no confirmed active exploitation or public proof-of-concept at time of analysis, though the vulnerability has been cataloged by Patchstack's security research team.
Technical ContextAI
This vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). Despite being classified as 'PHP Remote File Inclusion' in the description, tags and technical analysis confirm this is actually Local File Inclusion (LFI). The flaw occurs when the Diza theme improperly sanitizes user-supplied input used in PHP include() or require() statements, allowing authenticated users to manipulate file paths to include arbitrary local files from the web server. In WordPress themes, this commonly manifests in template loading mechanisms, AJAX handlers, or dynamic content inclusion features where file paths are constructed from user input without proper validation. Affected product per NVD CPE would be the Diza WordPress theme by thembay vendor, versions up to and including 1.3.15.
Affected ProductsAI
The vulnerability affects the Diza WordPress theme by thembay, all versions from earliest release through version 1.3.15. The vendor-specific product identifier is 'diza' in the WordPress theme repository. According to the Patchstack vulnerability database reference at https://patchstack.com/database/Wordpress/Theme/diza/vulnerability/wordpress-diza-theme-1-3-15-local-file-inclusion-vulnerability, sites running any version in this range on standard WordPress installations are vulnerable. No platform-specific limitations are indicated, suggesting the flaw affects all hosting environments running PHP-based WordPress deployments.
RemediationAI
Update the Diza theme to version 1.3.16 or later if available, as the vulnerability affects versions through 1.3.15, indicating a fix should be released in subsequent versions. Contact thembay directly or check the theme's official distribution channel for the patched release. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/diza/vulnerability/wordpress-diza-theme-1-3-15-local-file-inclusion-vulnerability for vendor-confirmed fix details. If immediate patching is not possible, implement these compensating controls: restrict WordPress user registration to prevent unauthorized account creation (Settings → General → Membership), audit and remove unnecessary low-privilege user accounts, implement Web Application Firewall (WAF) rules to detect file inclusion patterns in HTTP parameters (regex matching '../' traversal sequences, absolute paths, or sensitive filenames like 'wp-config'), and enable PHP open_basedir restrictions to limit file system access scope. Note that WAF rules may cause false positives with legitimate theme functionality and open_basedir can break plugins expecting unrestricted file access. These mitigations reduce attack surface but do not eliminate the underlying vulnerability.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-98 – PHP Remote File Inclusion
View allShare
External POC / Exploit Code
Leaving vuln.today