{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67955", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:16.553Z", "datePublished": "2026-01-22T16:51:56.033Z", "dateUpdated": "2026-04-28T16:14:24.631Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "myhome-core", "product": "MyHome Core", "vendor": "TangibleWP", "versions": [{"changes": [{"at": "4.1.1", "status": "unaffected"}], "lessThanOrEqual": "4.1.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:06.754Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion.<p>This issue affects MyHome Core: from n/a through <= 4.1.0.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion.This issue affects MyHome Core: from n/a through <= 4.1.0."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.631Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/myhome-core/vulnerability/wordpress-myhome-core-plugin-4-1-0-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress MyHome Core plugin <= 4.1.0 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T18:07:35.316580Z", "id": "CVE-2025-67955", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:07:37.941Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67955", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-27T18:07:35.316580Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T18:36:16.921Z"}}], "cna": {"title": "WordPress MyHome Core plugin <= 4.1.0 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "TangibleWP", "product": "MyHome Core", "versions": [{"status": "affected", "changes": [{"at": "4.1.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.1.0"}], "packageName": "myhome-core", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:06.754Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/myhome-core/vulnerability/wordpress-myhome-core-plugin-4-1-0-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion.This issue affects MyHome Core: from n/a through <= 4.1.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion.<p>This issue affects MyHome Core: from n/a through <= 4.1.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:55.197Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67955", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:07:37.941Z", "dateReserved": "2025-12-15T10:00:16.553Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:51:56.033Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion.This issue affects MyHome Core: from n/a through <= 4.1.0."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en un programa PHP, una vulnerabilidad de 'inclusi\u00f3n remota de ficheros PHP' en TangibleWP MyHome Core myhome-core, permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a MyHome Core: desde n/a hasta &lt;= 4.1.0."}], "id": "CVE-2025-67955", "lastModified": "2026-04-27T18:16:51.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:05.033", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/myhome-core/vulnerability/wordpress-myhome-core-plugin-4-1-0-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:32:14.849223+00:00", "value": {"mitigation_remediation": ["Upgrade MyHome Core to the latest version that removes the vulnerable include logic.", "If an update is not available, disable or uninstall the plugin to eliminate the input path that can be abused.", "Configure the web server to deny execution of arbitrary local files and restrict file permissions on the WordPress installation folders.", "Implement a web application firewall to block requests containing malicious file paths and monitor logs for suspicious inclusion attempts."], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in TangibleWP MyHome Core plugin versions up to and including 4.1.0. Any WordPress installation that has this plugin installed within the affected range is susceptible.", "description_and_impact": "The MyHome Core plugin for WordPress contains an improper control of filename for include/require statements. An attacker can manipulate the filename parameter to include an arbitrary local file. This can expose sensitive content or, if the file contains executable PHP, allow code execution on the web host, potentially leading to full site compromise.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity rating. The EPSS score of less than 1% suggests a relatively low probability of exploitation in the near term, and the vulnerability is not listed in the CISA KEV catalog. Exploitation typically requires an attacker to trigger the plugin\u2019s file inclusion routine with a crafted filename, which is likely achievable via a URL or submitted form within the WordPress site. Given the moderate-to-high severity, administrators should treat this as a serious risk."}}}}, "created": "2026-01-23T16:30:18.368012+00:00", "updated": "2026-04-27T21:45:14.517070+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}