{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68062", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:19.544Z", "datePublished": "2025-12-16T08:13:01.103Z", "dateUpdated": "2026-04-28T19:57:25.788Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "minimog", "product": "MinimogWP", "vendor": "ThemeMove", "versions": [{"lessThanOrEqual": "3.9.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:59.866Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.<p>This issue affects MinimogWP: from n/a through <= 3.9.6.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.This issue affects MinimogWP: from n/a through <= 3.9.6."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:28.054Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/minimog/vulnerability/wordpress-minimogwp-theme-3-9-6-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress MinimogWP theme <= 3.9.6 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-16T20:43:16.111771Z", "id": "CVE-2025-68062", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:57:25.788Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-68062", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-16T20:43:16.111771Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T20:43:10.848Z"}}], "cna": {"title": "WordPress MinimogWP theme <= 3.9.6 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "ThemeMove", "product": "MinimogWP", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 3.9.6"}], "packageName": "minimog", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2025-12-15T22:03:36.266Z", "references": [{"url": "https://vdp.patchstack.com/database/Wordpress/Theme/minimog/vulnerability/wordpress-minimogwp-theme-3-9-6-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.This issue affects MinimogWP: from n/a through <= 3.9.6.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.<p>This issue affects MinimogWP: from n/a through <= 3.9.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2025-12-16T08:13:01.103Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68062", "state": "PUBLISHED", "dateUpdated": "2025-12-16T20:43:19.044Z", "dateReserved": "2025-12-15T10:01:19.544Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-16T08:13:01.103Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thememove:minimogwp:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "7A3E0108-DF4D-4BE3-AA1B-3FD4D0448197", "versionEndIncluding": "3.9.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.This issue affects MinimogWP: from n/a through <= 3.9.6."}], "id": "CVE-2025-68062", "lastModified": "2026-01-29T21:08:44.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-12-16T09:16:01.613", "references": [{"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/Wordpress/Theme/minimog/vulnerability/wordpress-minimogwp-theme-3-9-6-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:21:15.661189+00:00", "value": {"mitigation_remediation": ["Upgrade MinimogWP to version 3.9.7 or later to remove the vulnerable file inclusion logic.", "If an upgrade cannot be applied immediately, edit the theme\u2019s code to validate any include paths against a strict whitelist of allowed files or remove the unsanitized include call entirely.", "Restrict PHP execution of included files by setting \"allow_url_include = Off\" and ensuring proper filesystem permissions to limit access to sensitive files."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion potentially leading to code execution or data disclosure"}, "threat_synthesis": {"affected_systems": "WordPress sites using the ThemeMove MinimogWP theme, versions up to and including 3.9.6. The affected component is the theme\u2019s file inclusion logic within WordPress.", "description_and_impact": "This vulnerability is an improper control of filename in a PHP include/require statement, classified as CWE-98. An attacker can craft a request that forces the theme to include a local file, potentially exposing sensitive server files or giving the attacker a foothold for further exploitation. The description indicates an LFI attack vector that, if an include path is executed, could allow reading of arbitrary files or execution of malicious code built into the local filesystem.", "risk_and_exploitability": "The CVSS score of 7.5 signals significant severity, though the EPSS score of less than 1% suggests the likelihood of exploitation is low at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack likely requires the ability to trigger the theme\u2019s file inclusion logic, which can be done through a crafted URL or form input, implying that unauthenticated users may be able to exploit this depending on the site\u2019s configuration. Successful exploitation could lead to disclosure of confidential data or remote code execution if the included file is maliciously crafted."}}}}, "created": "2025-12-16T17:09:03.903735+00:00", "title": "WordPress MinimogWP Theme Local File Inclusion Vulnerability", "updated": "2026-04-27T22:30:14.453883+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}