CVE-2025-69081
Unknown Unknown - Not Provided
PHP Local File Inclusion Vulnerability in Hope ThemeREX Plugin

Publication date: 2026-01-07

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Hope charity-is-hope allows PHP Local File Inclusion.This issue affects Hope: from n/a through <= 3.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69081
EUVD
EUVD-2026-1251
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
themerex_group hope From 3.0.0|end_including=3.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-69081 is a Local File Inclusion (LFI) vulnerability in the WordPress Hope Theme up to version 3.0.0. It allows unauthenticated attackers to include and display local files from the target website by exploiting improper control of filename parameters in PHP include/require statements. This can expose sensitive files such as those containing database credentials. [1]

Impact Analysis

This vulnerability can lead to exposure of sensitive information like database credentials, potentially allowing attackers to take over the entire database depending on the website's configuration. It poses a high risk with a CVSS score of 8.1 and can be exploited without any privileges, making affected sites highly vulnerable to attacks. [1]

Detection Guidance

Detection can involve monitoring for attempts to exploit Local File Inclusion (LFI) by looking for suspicious HTTP requests that include file path traversal patterns or attempts to include local files. Specific commands are not provided in the resources, but typical detection methods include analyzing web server logs for requests containing patterns like "../" or attempts to access sensitive files. Using web application firewalls (WAF) with rules targeting LFI can also help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include applying the mitigation rule issued by Patchstack to block attacks targeting this vulnerability until an official patch is released. Since no official fix is currently available for the theme, applying this mitigation rule is recommended to protect affected websites from exploitation. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69081. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart