CVE-2025-68546
Lifecycle Timeline
2Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Nika nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through <= 1.2.14.
Analysis
Local file inclusion (LFI) vulnerability in Thembay Nika WordPress theme version 1.2.14 and earlier allows unauthenticated attackers to read arbitrary files from the server via improper control of filename parameters in PHP include/require statements. The vulnerability has a low EPSS score (0.17%, 38th percentile) and no confirmed active exploitation, but successful exploitation could disclose sensitive configuration files, source code, or other protected data.
Technical Context
The vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), a classic PHP file inclusion flaw. The Nika theme appears to use user-supplied input (likely from GET/POST parameters) directly in PHP include() or require() statements without proper validation or sanitization. This allows path traversal sequences (e.g., '../../../') to be injected, enabling attackers to read files outside the intended directory. Unlike remote file inclusion (RFI), this LFI variant is restricted to local files on the server, but remains dangerous as it can expose database credentials, configuration secrets, and application source code.
Affected Products
Thembay Nika WordPress theme version 1.2.14 and all earlier versions are affected. The vulnerability applies to any WordPress installation running Nika as the active or inactive theme, as theme files can be accessed even if not active. Affected users should identify the exact version installed via the WordPress admin panel or by checking the theme's style.css file.
Remediation
Update the Nika theme to a patched version released after 1.2.14. Contact Thembay or check the official Nika theme repository on WordPress.org for the latest available version. If no patched version is available, disable or remove the Nika theme and switch to an alternative. In the interim, implement access controls to restrict direct HTTP requests to theme files (e.g., via web server configuration to block requests to /wp-content/themes/nika/) or use a Web Application Firewall (WAF) rule to detect and block path traversal patterns (../, ..\) in query parameters. The official vulnerability report is available at https://patchstack.com/database/Wordpress/Theme/nika/vulnerability/wordpress-nika-theme-1-2-14-local-file-inclusion-vulnerability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today