{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67980", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:33.669Z", "datePublished": "2026-02-20T15:46:31.029Z", "dateUpdated": "2026-04-28T19:31:10.802Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "hara", "product": "Hara", "vendor": "thembay", "versions": [{"changes": [{"at": "1.2.18", "status": "unaffected"}], "lessThanOrEqual": "1.2.17", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:15.203Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.<p>This issue affects Hara: from n/a through <= 1.2.17.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:25.030Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/hara/vulnerability/wordpress-hara-theme-1-2-17-local-file-inclusion-vulnerability-2?_s_id=cve"}], "title": "WordPress Hara theme <= 1.2.17 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T20:35:13.678555Z", "id": "CVE-2025-67980", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:31:10.802Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67980", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T20:35:13.678555Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T20:35:15.255Z"}}], "cna": {"title": "WordPress Hara theme <= 1.2.17 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "thembay", "product": "Hara", "versions": [{"status": "affected", "changes": [{"at": "1.2.18", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.17"}], "packageName": "hara", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:02:15.203Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/hara/vulnerability/wordpress-hara-theme-1-2-17-local-file-inclusion-vulnerability-2?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.<p>This issue affects Hara: from n/a through <= 1.2.17.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:25.030Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67980", "state": "PUBLISHED", "dateUpdated": "2026-04-28T19:31:10.802Z", "dateReserved": "2025-12-15T10:00:33.669Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:31.029Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en un programa PHP ('inclusi\u00f3n remota de ficheros PHP') vulnerabilidad en thembay Hara hara permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Hara: desde n/a hasta &lt;= 1.2.17."}], "id": "CVE-2025-67980", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:04.323", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/hara/vulnerability/wordpress-hara-theme-1-2-17-local-file-inclusion-vulnerability-2?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.17]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.2.18,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Hara", "source": "cna", "vendor": "thembay"}, "product": "hara", "vendor": "thembay"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:56:44.084592+00:00", "value": {"mitigation_remediation": ["Upgrade the Hara theme to a version newer than 1.2.17", "Ensure that any include/require statements no longer accept user\u2011controlled paths and that file paths are validated against a whitelist", "If an upgrade is not immediately possible, remove or disable any functionality that allows user input to specify a file path within the theme"], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "WordPress sites using Thembay's Hara theme at versions 1.2.17 or earlier are affected. Users of the theme should immediately verify their installed version and plan an upgrade if the version is \u2264\u202f1.2.17.", "description_and_impact": "The Hara theme v1.2.17 contains an improper control of filename for include/require statements in PHP. This allows an attacker to trigger a local file inclusion by supplying a crafted path, potentially reading sensitive files or executing code. The vulnerability classification is CWE\u201198. The CVSS score of 8.1 reflects a high\u2011severity bug that can compromise confidentiality and integrity of the WordPress instance.", "risk_and_exploitability": "The EPSS score of less than 1\u202f% indicates a low probability of exploitation today, but the high CVSS score and the nature of the flaw mean that exploitation could result in unauthorized file disclosure or code execution. The vulnerability is not listed in CISA's KEV catalog. Attackers would need to supply a URL or form input that controls the file path; it is unclear whether the path is directory\u2011traversal restricted, so the attack vector is inferred as remote via crafted web requests."}}}}, "created": "2026-02-23T14:46:16.554489+00:00", "updated": "2026-04-27T21:00:13.176171+00:00", "vendors": ["thembay", "thembay$PRODUCT$hara", "wordpress", "wordpress$PRODUCT$wordpress"]}