Skip to main content

Diza WordPress Theme CVE-2025-68544

HIGH
PHP Remote File Inclusion (CWE-98)
2025-12-23 audit@patchstack.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Apr 24, 2026 - 00:14 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
7.5 (HIGH)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 23, 2025 - 12:15 nvd
N/A

DescriptionCVE.org

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.15.

AnalysisAI

Local File Inclusion (LFI) vulnerability in the Diza WordPress theme (≤1.3.15) enables low-privileged authenticated attackers to include arbitrary local files, potentially leading to remote code execution, sensitive data exposure, or complete site compromise. The CVSS score of 7.5 reflects high complexity network-based attack requiring authentication. EPSS exploitation probability is low (0.17%, 38th percentile), with no confirmed active exploitation or public proof-of-concept at time of analysis, though the vulnerability has been cataloged by Patchstack's security research team.

Technical ContextAI

This vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). Despite being classified as 'PHP Remote File Inclusion' in the description, tags and technical analysis confirm this is actually Local File Inclusion (LFI). The flaw occurs when the Diza theme improperly sanitizes user-supplied input used in PHP include() or require() statements, allowing authenticated users to manipulate file paths to include arbitrary local files from the web server. In WordPress themes, this commonly manifests in template loading mechanisms, AJAX handlers, or dynamic content inclusion features where file paths are constructed from user input without proper validation. Affected product per NVD CPE would be the Diza WordPress theme by thembay vendor, versions up to and including 1.3.15.

Affected ProductsAI

The vulnerability affects the Diza WordPress theme by thembay, all versions from earliest release through version 1.3.15. The vendor-specific product identifier is 'diza' in the WordPress theme repository. According to the Patchstack vulnerability database reference at https://patchstack.com/database/Wordpress/Theme/diza/vulnerability/wordpress-diza-theme-1-3-15-local-file-inclusion-vulnerability, sites running any version in this range on standard WordPress installations are vulnerable. No platform-specific limitations are indicated, suggesting the flaw affects all hosting environments running PHP-based WordPress deployments.

RemediationAI

Update the Diza theme to version 1.3.16 or later if available, as the vulnerability affects versions through 1.3.15, indicating a fix should be released in subsequent versions. Contact thembay directly or check the theme's official distribution channel for the patched release. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/diza/vulnerability/wordpress-diza-theme-1-3-15-local-file-inclusion-vulnerability for vendor-confirmed fix details. If immediate patching is not possible, implement these compensating controls: restrict WordPress user registration to prevent unauthorized account creation (Settings → General → Membership), audit and remove unnecessary low-privilege user accounts, implement Web Application Firewall (WAF) rules to detect file inclusion patterns in HTTP parameters (regex matching '../' traversal sequences, absolute paths, or sensitive filenames like 'wp-config'), and enable PHP open_basedir restrictions to limit file system access scope. Note that WAF rules may cause false positives with legitimate theme functionality and open_basedir can break plugins expecting unrestricted file access. These mitigations reduce attack surface but do not eliminate the underlying vulnerability.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2025-68544 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy