CVE-2025-69005 in Search & Go Theme Plugin
Summary
by MITRE • 01/22/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Search & Go search-and-go allows PHP Local File Inclusion.This issue affects Search & Go: from n/a through <= 2.8.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/28/2026
The vulnerability identified as CVE-2025-69005 represents a critical PHP Remote File Inclusion flaw within the Elated-Themes Search & Go plugin, specifically affecting versions from n/a through 2.8. This issue stems from improper control of filename parameters in include/require statements, creating a pathway for attackers to execute arbitrary code through local file inclusion techniques. The vulnerability resides in the plugin's handling of user-supplied input that is directly incorporated into PHP include directives without adequate sanitization or validation.
The technical implementation of this flaw allows an attacker to manipulate the filename parameter passed to include or require functions, potentially enabling them to load and execute arbitrary PHP files from the local filesystem. This vulnerability falls under CWE-88, which describes improper control of filename for include or require statements, and represents a classic example of local file inclusion attacks that have been prevalent in web application security for decades. The attack vector leverages the plugin's search functionality to inject malicious file paths that bypass normal access controls and execute code with the privileges of the web server.
The operational impact of this vulnerability is significant as it provides attackers with the ability to execute arbitrary code on the target system, potentially leading to full system compromise. An attacker could leverage this vulnerability to upload malicious files, establish persistent backdoors, or extract sensitive data from the compromised system. The vulnerability affects the entire plugin ecosystem and could be exploited to gain unauthorized access to the web server hosting the vulnerable application. This type of attack aligns with ATT&CK technique T1505.003, which covers server-side include attacks, and T1059.007, covering scripting through web shells.
Mitigation strategies for this vulnerability should include immediate patching of the Search & Go plugin to version 2.8 or later, where the vulnerability has been addressed. Administrators should also implement proper input validation and sanitization measures to prevent user-supplied data from being directly used in include/require statements. Network-level protections such as web application firewalls can help detect and block malicious requests attempting to exploit this vulnerability. Additionally, implementing the principle of least privilege for web server accounts and disabling remote file inclusion in PHP configurations can provide additional layers of defense against exploitation attempts. Regular security audits and vulnerability assessments should be conducted to identify similar issues in other plugins and applications within the same ecosystem.