{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68065", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:19.544Z", "datePublished": "2025-12-16T08:13:01.354Z", "dateUpdated": "2026-04-28T16:14:28.031Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "hub-core", "product": "Hub Core", "vendor": "LiquidThemes", "versions": [{"lessThanOrEqual": "5.0.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:24:27.093Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.<p>This issue affects Hub Core: from n/a through <= 5.0.8.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.This issue affects Hub Core: from n/a through <= 5.0.8."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:28.031Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/hub-core/vulnerability/wordpress-hub-core-plugin-5-0-8-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Hub Core plugin <= 5.0.8 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T18:32:12.607109Z", "id": "CVE-2025-68065", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:32:16.963Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68065", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-27T18:32:12.607109Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T16:10:28.643Z"}}], "cna": {"title": "WordPress Hub Core plugin <= 5.0.8 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "LiquidThemes", "product": "Hub Core", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.0.8"}], "packageName": "hub-core", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:24:27.093Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/hub-core/vulnerability/wordpress-hub-core-plugin-5-0-8-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.This issue affects Hub Core: from n/a through <= 5.0.8.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.<p>This issue affects Hub Core: from n/a through <= 5.0.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:56.266Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68065", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:32:16.963Z", "dateReserved": "2025-12-15T10:01:19.544Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-16T08:13:01.354Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.This issue affects Hub Core: from n/a through <= 5.0.8."}], "id": "CVE-2025-68065", "lastModified": "2026-04-27T19:16:24.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2025-12-16T09:16:01.743", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/hub-core/vulnerability/wordpress-hub-core-plugin-5-0-8-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:20:56.293529+00:00", "value": {"mitigation_remediation": ["Upgrade the Hub Core plugin to version 5.0.9 or later once the official patch is released", "If an immediate upgrade is not possible, uninstall or disable the Hub Core plugin to eliminate the vulnerability", "Configure a web application firewall to block LFI attempts, such as by rejecting requests containing suspicious path traversal sequences"], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion leading to potential arbitrary file read or code execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the LiquidThemes Hub Core plugin version 5.0.8 or earlier are affected. No specific minor version is listed beyond the upper bound of 5.0.8, and the issue applies to all installations from the initial release to that version.", "description_and_impact": "The vulnerability resides in the Hub Core plugin for WordPress and allows an attacker to control the filename used in a PHP include or require statement. This flaw, classified as CWE-98, can enable the reading or execution of arbitrary files on the server, which may lead to disclosure of sensitive data or execution of malicious code if a PHP file is read from a controlled or remote source.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high impact if the vulnerability is exploited. The EPSS score of less than 1% suggests a low probability of exploitation in the wild at this time, and the vulnerability is not currently catalogued in the CISA KEV list. The likely attack vector is web-based, where a remote attacker could supply a crafted request to induce the plugin to include a local or remote file and gain sensitive information or control over the site."}}}}, "created": "2025-12-16T17:09:23.573368+00:00", "updated": "2026-04-27T22:30:14.453513+00:00", "vendors": ["liquidthemes", "liquidthemes$PRODUCT$hub", "wordpress", "wordpress$PRODUCT$wordpress"]}