How to fix CVE-2025-68841?

Within 24 hours: Inventory all WordPress installations using TopperPack plugin and document affected versions. Within 7 days: Implement WAF rules to block malicious file inclusion attempts targeting the plugin, disable the plugin if not operationally critical, or isolate affected servers from sensitive systems. Within 30 days: Monitor vendor (Themepul) for security patches and plan immediate deployment upon availability; consider alternative plugins if patch timeline is unacceptable.

Is PHP affected by CVE-2025-68841?

A critical file inclusion vulnerability affects organizations using the TopperPack WordPress plugin (versions ≤1.2.1), allowing attackers to access sensitive local files on affected servers.

CVE-2025-68841

HIGH

2026-02-20 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

CVE Published

Feb 20, 2026 - 16:22 nvd

HIGH 7.5

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themepul TopperPack - Complete Elementor Addons, Theme & CPT Builder topper-pack allows PHP Local File Inclusion.This issue affects TopperPack - Complete Elementor Addons, Theme & CPT Builder: from n/a through <= 1.2.1.

Analysis

Technical Context

Classified as CWE-98 (PHP Remote File Inclusion). Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themepul TopperPack – Complete Elementor Addons, Theme & CPT Builder topper-pack allows PHP Local File Inclusion.This issue affects TopperPack – Complete Elementor Addons, Theme & CPT Builder: from n/a through <= 1.2.1.

Affected Products

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themepul TopperPack – Complet

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2025-68841 vulnerability details – vuln.today

Back

CVE-2025-68841

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-68841

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code