{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68068", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:19.544Z", "datePublished": "2025-12-16T08:13:03.502Z", "dateUpdated": "2026-04-28T19:57:43.772Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "stockholm", "product": "Stockholm", "vendor": "Select-Themes", "versions": [{"lessThanOrEqual": "9.14.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:18.761Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm stockholm allows PHP Local File Inclusion.<p>This issue affects Stockholm: from n/a through <= 9.14.1.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm stockholm allows PHP Local File Inclusion.This issue affects Stockholm: from n/a through <= 9.14.1."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:28.123Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/stockholm/vulnerability/wordpress-stockholm-theme-9-14-1-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Stockholm theme <= 9.14.1 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-16T20:42:44.832075Z", "id": "CVE-2025-68068", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:57:43.772Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-68068", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-16T20:42:44.832075Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T20:40:06.099Z"}}], "cna": {"title": "WordPress Stockholm theme <= 9.14.1 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "Select-Themes", "product": "Stockholm", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "9.14.1"}], "packageName": "stockholm", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:02:18.761Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/stockholm/vulnerability/wordpress-stockholm-theme-9-14-1-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm stockholm allows PHP Local File Inclusion.This issue affects Stockholm: from n/a through <= 9.14.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm stockholm allows PHP Local File Inclusion.<p>This issue affects Stockholm: from n/a through <= 9.14.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:11:56.668Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68068", "state": "PUBLISHED", "dateUpdated": "2026-04-24T19:20:07.371Z", "dateReserved": "2025-12-15T10:01:19.544Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-16T08:13:03.502Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm stockholm allows PHP Local File Inclusion.This issue affects Stockholm: from n/a through <= 9.14.1."}], "id": "CVE-2025-68068", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-12-16T09:16:02.143", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/stockholm/vulnerability/wordpress-stockholm-theme-9-14-1-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:19:19.224299+00:00", "value": {"mitigation_remediation": ["Update the Stockholm theme to the latest version, which removes the insecure include path handling.", "If an immediate theme upgrade is not possible, temporarily restrict or remove any theme options that allow dynamic file inclusion or hard\u2011code a whitelist for allowed file paths within the theme\u2019s PHP files.", "Enable file access logging, monitor for unusual file inclusion attempts, and ensure that the web server\u2019s file permissions limit read access to sensitive directories, adding WAF rules to block suspicious file inclusion patterns."], "summary": {"action": "Patch Immediately", "impact": "Local File Inclusion potentially enabling unauthorized file access or code execution"}, "threat_synthesis": {"affected_systems": "WordPress installations that have the Stockholm theme version 9.14.1 or earlier are affected. This includes any site using the Select\u2011Themes Stockholm template from its initial release up through version 9.14.1. No specific WordPress core or PHP version constraints are stated in the advisory.", "description_and_impact": "Improper control of the filename used in a PHP include/require statement in the Stockholm theme allows Local File Inclusion. If an attacker can influence the included filename, they may read arbitrary files from the server or include and execute remote files, potentially escalating to code execution or sensitive data disclosure. The vulnerability is categorized as CWE-98, reflecting insecure handling of file paths.", "risk_and_exploitability": "The CVSS base score is 7.5, indicating a significant severity. The EPSS score is less than 1\u202f%, suggesting a low probability of exploitation within the current timeframe, and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector involves a crafted HTTP request targeting the vulnerable theme\u2019s input that controls the include path, allowing an attacker with internet access to exploit the local file inclusion. Because it is a local vulnerability, it generally requires the attacker to be able to influence the request to the WordPress instance but does not rely on privileged user credentials."}}}}, "created": "2025-12-16T17:09:16.461755+00:00", "updated": "2026-04-27T22:30:14.452217+00:00", "vendors": ["select-themes", "select-themes$PRODUCT$stockholm", "wordpress", "wordpress$PRODUCT$wordpress"]}