{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69409", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:13:23.068Z", "datePublished": "2026-02-20T15:46:58.882Z", "dateUpdated": "2026-04-28T21:01:33.546Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "pj", "product": "PJ | Life & Business Coaching", "vendor": "axiomthemes", "versions": [{"lessThanOrEqual": "3.0.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:55.505Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes PJ | Life & Business Coaching pj allows PHP Local File Inclusion.<p>This issue affects PJ | Life & Business Coaching: from n/a through <= 3.0.0.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes PJ | Life & Business Coaching pj allows PHP Local File Inclusion.This issue affects PJ | Life & Business Coaching: from n/a through <= 3.0.0."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:40.342Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/pj/vulnerability/wordpress-pj-life-business-coaching-theme-3-0-0-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress PJ | Life & Business Coaching theme <= 3.0.0 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T20:31:30.755504Z", "id": "CVE-2025-69409", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T21:01:33.546Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69409", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T20:31:30.755504Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T20:31:32.368Z"}}], "cna": {"title": "WordPress PJ | Life & Business Coaching theme <= 3.0.0 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "axiomthemes", "product": "PJ | Life & Business Coaching", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.0.0"}], "packageName": "pj", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:55.505Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/pj/vulnerability/wordpress-pj-life-business-coaching-theme-3-0-0-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes PJ | Life & Business Coaching pj allows PHP Local File Inclusion.This issue affects PJ | Life & Business Coaching: from n/a through <= 3.0.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes PJ | Life & Business Coaching pj allows PHP Local File Inclusion.<p>This issue affects PJ | Life & Business Coaching: from n/a through <= 3.0.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:32.283Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69409", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:32.283Z", "dateReserved": "2025-12-31T20:13:23.068Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:58.882Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes PJ | Life & Business Coaching pj allows PHP Local File Inclusion.This issue affects PJ | Life & Business Coaching: from n/a through <= 3.0.0."}, {"lang": "es", "value": "La vulnerabilidad de control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en un programa PHP ('Inclusi\u00f3n Remota de Ficheros PHP') en axiomthemes PJ | Life &amp; Business Coaching pj permite la Inclusi\u00f3n Local de Ficheros PHP. Este problema afecta a PJ | Life &amp; Business Coaching: desde n/d hasta &lt;= 3.0.0."}], "id": "CVE-2025-69409", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:28.753", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/pj/vulnerability/wordpress-pj-life-business-coaching-theme-3-0-0-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PJ | Life & Business Coaching", "source": "cna", "vendor": "axiomthemes"}, "product": "pj_|_life_&_business_coaching", "vendor": "axiomthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:08:19.989792+00:00", "value": {"mitigation_remediation": ["Upgrade the PJ | Life & Business Coaching theme to a non\u2011affected release (>=3.0.1) or apply the vendor\u2011issued patch. ", "If an update is not immediately available, disable or replace the theme to remove the vulnerable code path. ", "Configure the server or a WAF to restrict file include paths, for example by enabling open_basedir, rejecting paths with \"..\", and validating all file names before inclusion."], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion leading to arbitrary file disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress PJ | Life & Business Coaching theme developed by axiomthemes. All releases from the initial version up through 3.0.0 are vulnerable. WordPress sites that have deployed any of these theme versions are susceptible.", "description_and_impact": "This vulnerability arises from improper control of filenames in an include/require statement within the WordPress PJ | Life & Business Coaching theme. The flaw permits the inclusion of arbitrary local files, enabling an attacker to read sensitive files on the server. The impact is the disclosure of confidential data and potentially other critical configuration files, compromising the confidentiality and integrity of the website.", "risk_and_exploitability": "The CVSS score of 8.1 reflects a high severity, while the EPSS score of less than 1% indicates a relatively low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a local file inclusion triggered by user\u2011supplied input that determines the file to include. An attacker who can manipulate that input could read arbitrary files on the server, although no public exploit is known at this time."}}}}, "created": "2026-02-23T14:36:48.669086+00:00", "updated": "2026-04-27T20:15:12.269220+00:00", "vendors": ["axiomthemes", "axiomthemes$PRODUCT$pj_|_life_&_business_coaching", "wordpress", "wordpress$PRODUCT$wordpress"]}