{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68067", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:19.544Z", "datePublished": "2025-12-16T08:13:03.257Z", "dateUpdated": "2026-04-28T16:14:28.195Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "stockholm-core", "product": "Stockholm Core", "vendor": "Select-Themes", "versions": [{"lessThanOrEqual": "2.4.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:24:26.393Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm Core stockholm-core allows PHP Local File Inclusion.<p>This issue affects Stockholm Core: from n/a through <= 2.4.6.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm Core stockholm-core allows PHP Local File Inclusion.This issue affects Stockholm Core: from n/a through <= 2.4.6."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:28.195Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/stockholm-core/vulnerability/wordpress-stockholm-core-plugin-2-4-6-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Stockholm Core plugin <= 2.4.6 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T18:32:01.289441Z", "id": "CVE-2025-68067", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:32:04.971Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68067", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-27T18:32:01.289441Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T15:25:22.666Z"}}], "cna": {"title": "WordPress Stockholm Core plugin <= 2.4.6 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Select-Themes", "product": "Stockholm Core", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.4.6"}], "packageName": "stockholm-core", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:24:26.393Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/stockholm-core/vulnerability/wordpress-stockholm-core-plugin-2-4-6-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm Core stockholm-core allows PHP Local File Inclusion.This issue affects Stockholm Core: from n/a through <= 2.4.6.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm Core stockholm-core allows PHP Local File Inclusion.<p>This issue affects Stockholm Core: from n/a through <= 2.4.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:56.173Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68067", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:32:04.971Z", "dateReserved": "2025-12-15T10:01:19.544Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-16T08:13:03.257Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm Core stockholm-core allows PHP Local File Inclusion.This issue affects Stockholm Core: from n/a through <= 2.4.6."}], "id": "CVE-2025-68067", "lastModified": "2026-04-27T19:16:24.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2025-12-16T09:16:02.010", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/stockholm-core/vulnerability/wordpress-stockholm-core-plugin-2-4-6-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:19:41.157846+00:00", "value": {"mitigation_remediation": ["Upgrade the Stockholm Core plugin to a version newer than 2.4.6, which removes the vulnerability.", "If an immediate upgrade is not feasible, restrict the filesystem access used by the plugin by configuring safe mode or disabling user input that can influence include/require paths.", "Deploy a web application firewall or input sanitization routine that validates file names against an allowlist before including them."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "All releases of the Stockholm Core WordPress plugin from early versions through 2.4.6 are affected. The affected vendor is Select\u2011Themes and the product is the Stockholm Core plugin. The public CVE notes indicate the problem applies to every version up to and including 2.4.6; later versions are not listed as vulnerable.", "description_and_impact": "The vulnerability in Select\u2011Themes Stockholm Core allows an attacker to manipulate the file name used in an include or require statement. Because the plugin does not properly validate or sanitize this value, an arbitrary local file can be loaded at runtime. An attacker who can influence the value may trigger the execution of local code, read sensitive files, or otherwise compromise the integrity of the WordPress installation. The weakness is identified as CWE\u201198.", "risk_and_exploitability": "The CVSS score of 7.5 classifies the flaw as high severity, while the EPSS score of less than 1% suggests very low exploitation probability at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers would need to provide a crafted input that is used as the filename in an include/require call, which likely requires local or authenticated access to the WordPress instance. As a result, the risk is significant for systems that have the vulnerable plugin installed and are exposed to untrusted input or users that can influence plugin parameters."}}}}, "created": "2025-12-16T17:08:54.575039+00:00", "updated": "2026-04-27T22:30:14.452658+00:00", "vendors": ["select-themes", "select-themes$PRODUCT$stockholm_core", "wordpress", "wordpress$PRODUCT$wordpress"]}