CVE-2025-69081
Unknown Unknown - Not Provided
PHP Local File Inclusion Vulnerability in Hope ThemeREX Plugin

Publication date: 2026-01-07

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Hope charity-is-hope allows PHP Local File Inclusion.This issue affects Hope: from n/a through <= 3.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2026-01-07
EPSS Evaluated
2026-05-05
NVD
CVE-2025-69081
EUVD
EUVD-2026-1251
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
themerex_group hope From 3.0.0|end_including=3.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-69081 is a Local File Inclusion (LFI) vulnerability in the WordPress Hope Theme up to version 3.0.0. It allows unauthenticated attackers to include and display local files from the target website by exploiting improper control of filename parameters in PHP include/require statements. This can expose sensitive files such as those containing database credentials. [1]


How can this vulnerability impact me? :

This vulnerability can lead to exposure of sensitive information like database credentials, potentially allowing attackers to take over the entire database depending on the website's configuration. It poses a high risk with a CVSS score of 8.1 and can be exploited without any privileges, making affected sites highly vulnerable to attacks. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection can involve monitoring for attempts to exploit Local File Inclusion (LFI) by looking for suspicious HTTP requests that include file path traversal patterns or attempts to include local files. Specific commands are not provided in the resources, but typical detection methods include analyzing web server logs for requests containing patterns like "../" or attempts to access sensitive files. Using web application firewalls (WAF) with rules targeting LFI can also help detect exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include applying the mitigation rule issued by Patchstack to block attacks targeting this vulnerability until an official patch is released. Since no official fix is currently available for the theme, applying this mitigation rule is recommended to protect affected websites from exploitation. [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart