{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69410", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:13:23.068Z", "datePublished": "2026-02-20T15:46:59.059Z", "dateUpdated": "2026-04-28T21:01:43.654Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "belletrist", "product": "Belletrist", "vendor": "Edge-Themes", "versions": [{"lessThanOrEqual": "1.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:55.841Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.<p>This issue affects Belletrist: from n/a through <= 1.2.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.This issue affects Belletrist: from n/a through <= 1.2."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:40.371Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/belletrist/vulnerability/wordpress-belletrist-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Belletrist theme <= 1.2 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T20:31:26.903489Z", "id": "CVE-2025-69410", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T21:01:43.654Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69410", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T20:31:26.903489Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T20:31:28.300Z"}}], "cna": {"title": "WordPress Belletrist theme <= 1.2 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "Edge-Themes", "product": "Belletrist", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2"}], "packageName": "belletrist", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:55.841Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/belletrist/vulnerability/wordpress-belletrist-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.This issue affects Belletrist: from n/a through <= 1.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.<p>This issue affects Belletrist: from n/a through <= 1.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:32.479Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69410", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:32.479Z", "dateReserved": "2025-12-31T20:13:23.068Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:59.059Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.This issue affects Belletrist: from n/a through <= 1.2."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en un programa PHP, vulnerabilidad ('Inclusi\u00f3n Remota de Ficheros PHP') en Edge-Themes Belletrist belletrist permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Belletrist: desde n/a hasta &lt;= 1.2."}], "id": "CVE-2025-69410", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:29.157", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/belletrist/vulnerability/wordpress-belletrist-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Belletrist", "source": "cna", "vendor": "Edge-Themes"}, "product": "belletrist", "vendor": "edge-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:08:05.972895+00:00", "value": {"mitigation_remediation": ["Upgrade the Belletrist theme to a version newer than 1.2 to remove the vulnerable code", "If immediate upgrade is not possible, restrict filesystem permissions on the theme directory to prevent reading of sensitive files that could be included", "Validate and sanitize any user\u2011supplied path arguments before they reach the include/require statement, ensuring only legitimate, whitelisted file paths are processed."], "summary": {"action": "Patch Immediately", "impact": "Local File Inclusion potentially allowing unauthorized code execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Edge\u2011Themes Belletrist theme version 1.2 or earlier are affected. The issue exists from the earliest available version through the current 1.2 release. No specific patch version is listed, so any upgrade to a version newer than 1.2 removes the vulnerability.", "description_and_impact": "Improper control of the filename used in a PHP include/require statement creates a local file inclusion flaw in the Edge\u2011Themes Belletrist WordPress theme. An attacker could supply a path that references sensitive or executable files on the server, leading to the execution of code or disclosure of application secrets. The weakness is represented by CWE\u201198, which describes insecure management of filenames in file inclusion mechanisms.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity assessment, yet the EPSS score is < 1%, suggesting a low current exploitation probability. Because the flaw is a local file inclusion, it requires the attacker to be able to inject a file path into the application\u2019s include logic; the attack vector is likely via a web request that manipulates a parameter. The vulnerability is not listed in the CISA KEV catalog, so no public exploit must be known. Nonetheless, the high severity and potential for code execution make the risk significant for sites that have not upgraded the theme."}}}}, "created": "2026-02-23T14:36:47.745681+00:00", "updated": "2026-04-27T20:15:12.267656+00:00", "vendors": ["edge-themes", "edge-themes$PRODUCT$belletrist", "wordpress", "wordpress$PRODUCT$wordpress"]}