CVE-2025-67957
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-01-29

Assigner: Patchstack

Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion.This issue affects Listivo Core: from n/a through <= 2.3.77.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-01-29
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67957
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack listivo_core to 2.3.77 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67957 is a Local File Inclusion (LFI) vulnerability in the WordPress Listivo Core Plugin versions up to 2.3.77. It allows an unauthenticated attacker to include and display local files from the target website by exploiting improper control of filenames in include/require statements. This can expose sensitive information such as database credentials and potentially lead to a complete database takeover depending on the website's configuration. [1]

Impact Analysis

This vulnerability can impact you by allowing an attacker to access and display sensitive local files on your website without authentication. This exposure can lead to disclosure of critical information like database credentials and may result in a complete database takeover, compromising the security and integrity of your website and data. [1]

Compliance Impact

This vulnerability can negatively affect compliance with standards such as GDPR and HIPAA because it may lead to unauthorized disclosure of sensitive personal or protected health information stored on the affected system. Such data breaches can result in violations of data protection regulations, leading to legal and financial consequences. [1]

Detection Guidance

Detection of this Local File Inclusion (LFI) vulnerability can be done by monitoring for attempts to include local files via the vulnerable WordPress Listivo Core Plugin (versions ≀ 2.3.77). One can look for suspicious HTTP requests targeting the plugin that attempt to include local files, such as requests containing parameters with file paths (e.g., ../../etc/passwd). Network or web server logs can be searched for such patterns. Specific commands might include using grep on web server logs to find suspicious inclusion attempts, for example: grep -i 'listivo-core' /var/log/apache2/access.log | grep -E '(\.|%2e){2,}/' or using intrusion detection systems with rules targeting this vulnerability. Patchstack provides mitigation rules that can help detect and block attacks targeting this vulnerability. [1]

Mitigation Strategies

The immediate mitigation step is to update the WordPress Listivo Core Plugin to version 2.3.78 or later, where the vulnerability is fixed. Until the update can be applied, users of Patchstack can enable mitigation rules provided by Patchstack to block attacks targeting this vulnerability. Additionally, enabling auto-updates for vulnerable plugins can ensure rapid protection against exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67957. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart