CVE-2025-58898 in HealthHub Plugin
Summary
by MITRE • 12/18/2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes HealthHub healthhub allows PHP Local File Inclusion.This issue affects HealthHub: from n/a through <= 1.3.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/18/2025
The CVE-2025-58898 vulnerability represents a critical PHP Remote File Inclusion flaw that manifests through improper control of filename parameters in include/require statements within the AncoraThemes HealthHub WordPress theme. This vulnerability falls under the broader category of CWE-98 - Improper Control of Filename for Include/Require Statement, which is classified as a remote code execution vector when attackers can manipulate file inclusion paths. The vulnerability specifically affects the HealthHub theme versions ranging from the initial release through version 1.3.0, creating a window of exposure for numerous WordPress installations that utilize this theme.
The technical implementation of this vulnerability occurs when the HealthHub theme fails to properly sanitize user input that is used in PHP include or require statements. Attackers can exploit this weakness by crafting malicious requests that manipulate the filename parameter passed to these statements, potentially allowing them to include arbitrary local or remote files. This flaw enables an attacker to execute arbitrary PHP code on the target server, effectively granting them full control over the affected system. The vulnerability is particularly dangerous because it allows for local file inclusion attacks, meaning that an attacker could potentially read sensitive files from the server's file system or even execute malicious code through the include mechanism.
From an operational perspective, this vulnerability poses significant risks to WordPress site administrators and security teams. The impact extends beyond simple data theft to encompass complete system compromise, as attackers can leverage this vulnerability to establish persistent backdoors, exfiltrate database credentials, or deploy additional malware. The attack surface is particularly concerning given that WordPress themes are frequently used and often have default configurations that make them prime targets for exploitation. Security practitioners should note that this vulnerability aligns with ATT&CK technique T1505.003 - Server Software Component, specifically targeting the inclusion of malicious components through vulnerable software.
The exploitation of this vulnerability typically requires an attacker to identify a parameter that is passed directly to PHP include/require functions without proper validation. In the context of the HealthHub theme, this could occur when user-provided input is used to determine which template files to include or which configuration files to load. The remediation strategy involves implementing proper input validation and sanitization of all parameters used in file inclusion operations, ensuring that only predefined safe values are accepted. Additionally, administrators should disable the ability to include remote files through PHP's allow_url_include directive and ensure that all WordPress installations are running the latest versions of both the core software and all themes and plugins. The vulnerability demonstrates the critical importance of input validation in web applications and reinforces the need for comprehensive security testing of third-party components.