CVE-2025-67988
Awaiting Analysis Awaiting Analysis - Queue

Local File Inclusion in LoftOcean CozyStay PHP

Vulnerability report for CVE-2025-67988, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-20

Last updated on: 2026-02-24

Assigner: Patchstack

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through < 1.9.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-20
Last Modified
2026-02-24
Generated
2026-07-06
AI Q&A
2026-02-20
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
loftocean cozystay to 1.9.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

I don't know

Impact Analysis

[{'type': 'paragraph', 'content': 'Exploitation of this vulnerability can lead to exposure of sensitive information like database credentials.'}, {'type': 'paragraph', 'content': "If attackers obtain these credentials, they could potentially take over the entire database depending on the website's configuration."}, {'type': 'paragraph', 'content': 'This represents a severe security risk with a CVSS score of 8.1, indicating high priority for remediation.'}] [1]

Executive Summary

CVE-2025-67988 is a Local File Inclusion (LFI) vulnerability in the WordPress CozyStay Theme versions prior to 1.9.1.

This vulnerability allows unauthenticated attackers to include and display local files from the target website by exploiting improper control of filename parameters in PHP include/require statements.

As a result, attackers can potentially access sensitive information stored in local files, such as database credentials.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability allows unauthenticated attackers to include and display local files from the target website, which can be detected by monitoring for suspicious HTTP requests attempting to exploit Local File Inclusion (LFI) patterns.'}, {'type': 'paragraph', 'content': 'Detection can involve inspecting web server logs for requests containing suspicious parameters that include file paths or traversal sequences (e.g., ../) targeting the CozyStay theme.'}, {'type': 'paragraph', 'content': 'While specific commands are not provided, common approaches include using tools like grep to search web server logs for suspicious patterns, for example:'}, {'type': 'list_item', 'content': "grep -i 'include' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -E '\\.\\./|%2e%2e%2f' /var/log/apache2/access.log"}, {'type': 'paragraph', 'content': 'Additionally, using web vulnerability scanners that detect LFI vulnerabilities can help identify exploitation attempts.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The most immediate and effective mitigation is to update the CozyStay WordPress theme to version 1.9.1 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': "Until the update can be applied, users should implement Patchstack's mitigation rules designed to block attacks targeting this vulnerability."}, {'type': 'paragraph', 'content': 'It is also recommended to monitor and block suspicious requests that attempt to exploit Local File Inclusion vulnerabilities.'}] [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67988. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart