CVE-2025-68067 in Stockholm Core Plugin
Summary
by MITRE • 12/16/2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm Core stockholm-core allows PHP Local File Inclusion.This issue affects Stockholm Core: from n/a through <= 2.4.6.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/16/2025
The vulnerability identified as CVE-2025-68067 represents a critical PHP Remote File Inclusion flaw within the Select-Themes Stockholm Core stockholm-core component that enables unauthorized remote code execution through improper control of filename parameters in include/require statements. This vulnerability specifically targets the core functionality of the stockholm-core module, which is designed to provide essential framework components for WordPress themes. The flaw arises when the application fails to properly validate or sanitize user-supplied input that is subsequently used in dynamic include or require operations, creating a pathway for malicious actors to inject arbitrary PHP code. The vulnerability affects all versions of the stockholm-core component up to and including version 2.4.6, indicating a widespread exposure across multiple iterations of the framework. This issue falls under the category of CWE-98 - Improper Control of Filename for Include/Require Statement, which is classified as a direct result of insufficient input validation in file inclusion operations. The ATT&CK framework categorizes this vulnerability under T1505.003 - Server-side Include, as it exploits server-side code execution through inclusion mechanisms. The impact of this vulnerability extends beyond simple code injection, as it allows attackers to execute arbitrary commands on the affected server, potentially leading to complete system compromise. The vulnerability's exploitation requires minimal privileges and can be achieved through simple parameter manipulation in HTTP requests, making it particularly dangerous in production environments where the stockholm-core component is actively used.
The technical implementation of this vulnerability stems from the stockholm-core component's failure to properly validate or sanitize user input before using it in PHP include/require operations. When a user supplies a filename parameter that is then directly incorporated into an include statement without adequate sanitization, the system becomes vulnerable to malicious input injection. Attackers can leverage this weakness by providing specially crafted filenames that point to remote malicious files or local system files that contain malicious code. The vulnerability is particularly concerning because it operates at the core level of the theme framework, meaning that successful exploitation can provide attackers with access to fundamental system resources and potentially enable further lateral movement within the network. The affected range from n/a through version 2.4.6 indicates that this vulnerability has been present for an extended period, allowing attackers ample time to develop and deploy exploitation techniques. The lack of proper input validation creates a direct pathway for attackers to bypass normal access controls and execute arbitrary code, fundamentally compromising the integrity and security of the affected system. This vulnerability represents a classic example of how insufficient input validation in server-side applications can lead to severe security consequences.
The operational impact of CVE-2025-68067 is substantial and potentially catastrophic for affected organizations. Successful exploitation can result in complete system compromise, allowing attackers to establish persistent backdoors, exfiltrate sensitive data, or use the compromised system as a launching point for further attacks against internal networks. The vulnerability's potential for remote code execution means that attackers can perform actions such as creating new user accounts, modifying existing files, installing malware, or even using the compromised server for botnet activities. Organizations running affected versions of the stockholm-core component face significant risk of data breaches, service disruption, and regulatory compliance violations. The vulnerability's widespread nature across multiple versions suggests that many WordPress installations may be exposed, particularly those using themes built on the Select-Themes framework. The ease of exploitation combined with the potential for persistent access makes this vulnerability particularly attractive to cybercriminals and nation-state actors alike. Additionally, the vulnerability can be exploited through simple web requests, making it accessible to attackers with minimal technical expertise, which increases the overall threat landscape for affected systems.
Mitigation strategies for CVE-2025-68067 must be implemented immediately to protect affected systems from exploitation. The primary and most effective mitigation is to upgrade to the latest version of the stockholm-core component where this vulnerability has been patched, ensuring that all affected versions are updated to prevent exploitation. Organizations should also implement proper input validation and sanitization mechanisms throughout their applications to prevent similar vulnerabilities from occurring in the future. Network-level protections such as web application firewalls and intrusion detection systems can provide additional layers of defense by monitoring for suspicious file inclusion patterns. Security configurations should be reviewed to disable remote file inclusion capabilities where possible, and all user-supplied input should be validated against a strict whitelist of acceptable values. Regular security audits and penetration testing should be conducted to identify and remediate similar vulnerabilities throughout the application stack. System administrators should monitor for signs of exploitation attempts and implement proper logging and alerting mechanisms to detect suspicious activities. The vulnerability's classification as a remote code execution flaw necessitates comprehensive incident response planning and immediate remediation procedures to minimize potential damage from successful exploitation attempts.