CVE-2025-58892 in Tourimo Plugin
Summary
by MITRE • 12/18/2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tourimo tourimo allows PHP Local File Inclusion.This issue affects Tourimo: from n/a through <= 1.2.3.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/18/2025
The CVE-2025-58892 vulnerability represents a critical PHP Remote File Inclusion flaw that specifically targets the AncoraThemes Tourimo tourimo plugin. This vulnerability falls under the broader category of improper control of filename for include/require statements, which is classified as CWE-98 in the Common Weakness Enumeration catalog. The vulnerability allows attackers to manipulate the include/require functionality within the PHP application, potentially enabling arbitrary code execution through local file inclusion attacks.
The technical implementation of this vulnerability occurs when the tourimo plugin fails to properly validate or sanitize user-supplied input that is used in include/require statements. When an attacker can control the filename parameter passed to these PHP functions, they can manipulate the execution flow to include arbitrary local files or potentially remote files. This weakness exists in the plugin version range from unspecified initial versions through version 1.2.3, indicating that the vulnerability has been present for some time and affects a wide range of installations. The flaw directly enables PHP Local File Inclusion (LFI) attacks, which can be leveraged to execute malicious code on the affected server.
The operational impact of this vulnerability is severe for any website running the affected tourimo plugin. Attackers can exploit this weakness to read arbitrary files on the server, potentially accessing sensitive configuration files, database credentials, or other confidential information. In more advanced exploitation scenarios, this vulnerability can lead to full system compromise through remote code execution, allowing attackers to establish persistent backdoors, exfiltrate data, or use the compromised server for further attacks. The vulnerability affects not only the immediate plugin functionality but can also potentially provide attackers with access to the entire web application stack and underlying server infrastructure.
Mitigation strategies for CVE-2025-58892 should prioritize immediate patching of the tourimo plugin to the latest available version that addresses this vulnerability. System administrators should implement proper input validation and sanitization measures to ensure that any user-supplied input used in include/require statements is properly validated and restricted. The principle of least privilege should be enforced by configuring PHP with appropriate security settings that prevent remote file inclusion attacks. Additionally, implementing web application firewalls and intrusion detection systems can help monitor for exploitation attempts. Organizations should also conduct thorough security assessments of their web applications and ensure that all third-party plugins and themes are regularly updated and vetted for security vulnerabilities. This vulnerability aligns with ATT&CK technique T1190 for exploitation of remote services and T1078 for valid accounts, as attackers may leverage this vulnerability to establish persistent access to compromised systems.