{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69373", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:13:05.451Z", "datePublished": "2026-02-20T15:46:51.695Z", "dateUpdated": "2026-04-28T16:14:39.622Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "vidorev", "product": "VidoRev", "vendor": "beeteam368", "versions": [{"lessThanOrEqual": "2.9.9.9.9.9.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:41.104Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.<p>This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9.7.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9.7."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:39.622Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/vidorev/vulnerability/wordpress-vidorev-theme-2-9-9-9-9-9-7-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress VidoRev theme <= 2.9.9.9.9.9.7 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T20:09:59.349164Z", "id": "CVE-2025-69373", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T19:53:47.579Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69373", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T20:09:59.349164Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T20:11:16.541Z"}}], "cna": {"title": "WordPress VidoRev theme <= 2.9.9.9.9.9.7 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "beeteam368", "product": "VidoRev", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.9.9.9.9.9.7"}], "packageName": "vidorev", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:41.104Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/vidorev/vulnerability/wordpress-vidorev-theme-2-9-9-9-9-9-7-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9.7.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.<p>This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:01.584Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69373", "state": "PUBLISHED", "dateUpdated": "2026-04-27T19:53:47.579Z", "dateReserved": "2025-12-31T20:13:05.451Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:51.695Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9.7."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en el programa PHP ('PHP inclusi\u00f3n remota de ficheros') vulnerabilidad en beeteam368 VidoRev vidorev permite PHP inclusi\u00f3n local de ficheros. Este problema afecta a VidoRev: desde n/a hasta &lt;= 2.9.9.9.9.9.7."}], "id": "CVE-2025-69373", "lastModified": "2026-04-27T21:16:25.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-20T16:22:21.580", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/vidorev/vulnerability/wordpress-vidorev-theme-2-9-9-9-9-9-7-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.9.9.9.9.9.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "vidorev", "vendor": "beeteam368"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T09:29:52.208843+00:00", "value": {"mitigation_remediation": ["Upgrade the VidoRev theme to a version newer than 2.9.9.9.9.9.7", "If an upgrade is not possible, modify the theme\u2019s file\u2011include logic to validate any filenames against a whitelist or restrict the include paths to a predefined set of safe files", "If code modification cannot be performed, consider disabling the theme or reducing file system permissions so that local files cannot be included via the web interface"], "summary": {"action": "Update Theme", "impact": "Local File Inclusion \u2013 potential data disclosure and execution of arbitrary local code"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the beeteam368 VidoRev theme for WordPress. All releases from the earliest available version through 2.9.9.9.9.9.7 are susceptible. WordPress installations deploying any of these theme versions are impacted.", "description_and_impact": "The flaw stems from inadequate validation of filenames used in a PHP include/require statement within the beeteam368 VidoRev WordPress theme. As a result, an attacker can supply a filename that leads the server to include any file from the local filesystem. This can expose sensitive files to the attacker and, in circumstances where the included file contains executable PHP code, could allow that code to run on the web server.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity of impact. The EPSS score of less than 1% suggests that, at present, exploitation attempts are expected to be uncommon. The vulnerability is not listed in the CISA KEV database, so no widespread exploitation campaigns are known. The likely attack vector is a crafted HTTP request to a page or endpoint of the vulnerable theme that supplies a controlled filename parameter to trigger the PHP include logic. Successful exploitation would give the attacker the ability to read arbitrary files on the server or, if a malicious PHP script can be placed in a reachable location, execute that script on the server."}}}}, "created": "2026-02-23T14:37:20.011411+00:00", "updated": "2026-04-28T09:30:26.222509+00:00", "vendors": ["beeteam368", "beeteam368$PRODUCT$vidorev", "wordpress", "wordpress$PRODUCT$wordpress"]}