{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67938", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T09:59:55.701Z", "datePublished": "2026-01-22T16:51:52.931Z", "dateUpdated": "2026-04-28T19:27:06.915Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "biagiotti", "product": "Biagiotti", "vendor": "Mikado-Themes", "versions": [{"changes": [{"at": "3.5.2", "status": "unaffected"}], "lessThanOrEqual": "3.5.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:18.508Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion.<p>This issue affects Biagiotti: from n/a through < 3.5.2.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion.This issue affects Biagiotti: from n/a through < 3.5.2."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.234Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/biagiotti/vulnerability/wordpress-biagiotti-theme-3-5-2-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Biagiotti theme < 3.5.2 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T19:09:19.349565Z", "id": "CVE-2025-67938", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:27:06.915Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-67938", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-28T19:09:19.349565Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T19:08:57.263Z"}}], "cna": {"title": "WordPress Biagiotti theme < 3.5.2 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "Mikado-Themes", "product": "Biagiotti", "versions": [{"status": "affected", "changes": [{"at": "3.5.2", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 3.5.2"}], "packageName": "biagiotti", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-01-22T17:43:53.245Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/biagiotti/vulnerability/wordpress-biagiotti-theme-3-5-2-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion.This issue affects Biagiotti: from n/a through < 3.5.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion.<p>This issue affects Biagiotti: from n/a through < 3.5.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-01-22T16:51:52.931Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67938", "state": "PUBLISHED", "dateUpdated": "2026-01-29T15:37:43.258Z", "dateReserved": "2025-12-15T09:59:55.701Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:51:52.931Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion.This issue affects Biagiotti: from n/a through < 3.5.2."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en programa PHP ('Inclusi\u00f3n remota de ficheros PHP') vulnerabilidad en Mikado-Themes Biagiotti biagiotti permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Biagiotti: desde n/a hasta &lt; 3.5.2."}], "id": "CVE-2025-67938", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:02.587", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/biagiotti/vulnerability/wordpress-biagiotti-theme-3-5-2-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:37:31.818163+00:00", "value": {"mitigation_remediation": ["Upgrade the Biagiotti theme to version 3.5.2 or newer to eliminate the vulnerability.", "If an upgrade cannot be performed immediately, replace the theme with a secure alternative or disable the theme on publicly accessible sites.", "Restrict file permissions on theme directories to prevent unintended file inclusion by the web server.", "Monitor server logs for unusual file inclusion attempts and report any suspicious activity to the site administrator."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "Affected systems are installations that use the Mikado-Themes Biagiotti WordPress theme version prior to 3.5.2. The vendor documentation lists affected versions as any version from the original release up through just before the 3.5.2 release. Site owners using any of those versions should check their theme version and protect the site accordingly.", "description_and_impact": "The vulnerability arises from an improper control of filenames for include/require statements in the Mikado-Themes Biagiotti theme. This weakness, classified as CWE\u201198, allows an attacker to influence the file path passed to PHP's include statements, leading to local file inclusion. If exploited, an actor could read sensitive configuration files, view source code, or potentially execute injected code, thereby compromising the confidentiality and integrity of the WordPress installation.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity. The EPSS score of less than 1% suggests that the probability of exploitation in the wild is currently very low, and it is not listed in the CISA KEV catalog. The likely attack vector is local, requiring attacker control of the web server file system or the ability to supply crafted requests to the theme. Because the weakness permits the inclusion of arbitrary local files, any compromise of the web application or server could be leveraged to read or execute malicious code."}}}}, "created": "2026-01-23T16:31:15.279855+00:00", "updated": "2026-04-27T21:45:14.528037+00:00", "vendors": ["mikado-themes", "mikado-themes$PRODUCT$biagiotti", "wordpress", "wordpress$PRODUCT$wordpress"]}