CVE-2025-58894 in Good Mood Plugin
Summary
by MITRE • 12/18/2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Good Mood good-mood allows PHP Local File Inclusion.This issue affects Good Mood: from n/a through <= 1.16.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/18/2025
The CVE-2025-58894 vulnerability represents a critical PHP Remote File Inclusion flaw within the axiomthemes Good Mood WordPress theme, specifically impacting versions through 1.16. This vulnerability stems from improper validation of filename parameters in include/require statements, creating a pathway for attackers to execute arbitrary code through malicious file inclusion. The flaw manifests when user-supplied input is directly incorporated into PHP include directives without adequate sanitization or validation, allowing remote attackers to manipulate the include statement to load arbitrary files from remote servers or local system paths.
The technical implementation of this vulnerability falls under CWE-88, which describes improper control of filename for include or require statements, and aligns with CWE-94, representing improper control of generation of code. The vulnerability operates at the application layer and specifically targets the PHP interpreter's include/require functionality, where attacker-controlled input bypasses security checks and allows arbitrary code execution. This weakness is particularly dangerous because it enables attackers to leverage local file inclusion techniques to access sensitive files, execute malicious code, or establish persistence within the target environment. The vulnerability's impact is amplified by its location within a WordPress theme, which typically runs with elevated privileges and has access to sensitive system resources.
The operational impact of this vulnerability extends beyond simple code execution, as it can enable attackers to perform a wide range of malicious activities including data exfiltration, privilege escalation, and establishment of backdoors. Attackers can leverage this vulnerability to include malicious PHP files hosted on remote servers, potentially leading to complete system compromise. The vulnerability also poses risks for data integrity and confidentiality, as it may allow unauthorized access to sensitive files, configuration data, or user information stored on the affected system. Additionally, the presence of this vulnerability in a widely used WordPress theme increases the attack surface significantly, as compromised sites can serve as launching points for further attacks within networks.
Security mitigations for CVE-2025-58894 should focus on immediate patching of affected versions, as the vulnerability directly relates to improper input validation in PHP include statements. Organizations should implement strict input validation and sanitization for all user-supplied parameters that may be used in include/require operations, ensuring that only predefined, trusted values are accepted. The implementation of PHP's allow_url_include directive should be disabled to prevent remote file inclusion attacks, while proper file access controls and permissions should be enforced to limit the impact of local file inclusion attempts. Network-based mitigations include implementing web application firewalls to detect and block suspicious include patterns and monitoring for unusual file access patterns. The vulnerability's classification under ATT&CK technique T1190, known as "Exploit Public-Facing Application," indicates that this weakness can be exploited through web application attacks, making it particularly relevant for organizations implementing security controls against external threats. Regular security audits and code reviews should be conducted to identify similar vulnerabilities in other include/require operations throughout the application stack.