CVE-2025-68064
Deferred Deferred - Pending Action
Local File Inclusion in Goya Core

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description
Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2025-68064
EUVD
EUVD-2025-210359
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68064 is a Local File Inclusion (LFI) vulnerability in the WordPress Goya Core Plugin versions prior to 1.0.9.4.

This vulnerability allows an attacker with contributor-level access to include local files from the target website.

By exploiting this, an attacker could potentially expose sensitive data such as database credentials if the website's configuration permits it.

Impact Analysis

The vulnerability has a high CVSS severity score of 7.5, indicating a significant risk if exploited.

An attacker with contributor-level access could use this flaw to access sensitive local files on your website.

This could lead to exposure of critical information such as database credentials, which may compromise the security and integrity of your website.

Although the likelihood of exploitation is considered low by Patchstack, the impact of a successful attack could be severe.

Immediate action is recommended, such as updating the plugin to version 1.0.9.4 or later, or seeking assistance from your hosting provider or web developer.

Mitigation Strategies

The immediate recommended action is to update the WordPress Goya Core Plugin to version 1.0.9.4 or later.

If updating is not feasible, users should seek assistance from their hosting provider or web developer.

Patchstack users can enable auto-updates for vulnerable plugins to mitigate the risk automatically.

Compliance Impact

The Local File Inclusion vulnerability in the Goya Core Plugin allows an attacker with contributor-level access to potentially expose sensitive data such as database credentials. Exposure of such sensitive information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

Therefore, if exploited, this vulnerability may compromise the confidentiality and integrity of sensitive data, impacting compliance with common standards and regulations that mandate strict data security controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68064. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart