CVE-2025-68064
Deferred Deferred - Pending Action

Local File Inclusion in Goya Core

Vulnerability report for CVE-2025-68064, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description

Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
patchstack goya_core to 1.0.9.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-68064 is a Local File Inclusion (LFI) vulnerability in the WordPress Goya Core Plugin versions prior to 1.0.9.4.

This vulnerability allows an attacker with contributor-level access to include local files from the target website.

By exploiting this, an attacker could potentially expose sensitive data such as database credentials if the website's configuration permits it.

Impact Analysis

The vulnerability has a high CVSS severity score of 7.5, indicating a significant risk if exploited.

An attacker with contributor-level access could use this flaw to access sensitive local files on your website.

This could lead to exposure of critical information such as database credentials, which may compromise the security and integrity of your website.

Although the likelihood of exploitation is considered low by Patchstack, the impact of a successful attack could be severe.

Immediate action is recommended, such as updating the plugin to version 1.0.9.4 or later, or seeking assistance from your hosting provider or web developer.

Compliance Impact

The Local File Inclusion vulnerability in the Goya Core Plugin allows an attacker with contributor-level access to potentially expose sensitive data such as database credentials. Exposure of such sensitive information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

Therefore, if exploited, this vulnerability may compromise the confidentiality and integrity of sensitive data, impacting compliance with common standards and regulations that mandate strict data security controls.

Mitigation Strategies

The immediate recommended action is to update the WordPress Goya Core Plugin to version 1.0.9.4 or later.

If updating is not feasible, users should seek assistance from their hosting provider or web developer.

Patchstack users can enable auto-updates for vulnerable plugins to mitigate the risk automatically.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68064. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart