CVE-2025-67521 - Vulnerability Details

- WordPress Select Core plugin < 2.6 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Select Core select-core allows PHP Local File Inclusion.This issue affects Select Core: from n/a through < 2.6.

Published: 2025-12-09

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from improper control of filename parameters within an include/require statement in the WordPress Select Core plugin. An attacker who can supply a crafted filename can cause PHP to include arbitrary local files, which may allow execution of injected code or disclosure of sensitive content. This weakness is classified as CWE‑98 and can compromise the confidentiality, integrity, and availability of the affected WordPress installation.

Affected Systems

The flaw exists in the Select Core plugin from the Select‑Themes vendor, affecting all released versions prior to 2.6. Any WordPress site that has the Select Core plugin installed with a version lower than 2.6 is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, but the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require the attacker to influence the include path, likely through plugin configuration or user input, and would succeed when the site allows inclusion of local files without proper validation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Select-Themes

Select Core

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.6

No data.

Vendor	Product	Confidence	Versions
Select-themes	Select Core	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Select Core plugin to version 2.6 or later to eliminate the vulnerable include behaviour.
If an upgrade is not feasible, completely disable or remove the Select Core plugin to prevent the local file inclusion path from being exposed.
Configure the web server or PHP environment to restrict local file inclusion by disabling file‑based include directives for user‑controlled input and enforcing read‑only permissions on sensitive files.

Generated by OpenCVE AI on April 29, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00109.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/select-core/vulnerability/wordpress-select-core-plugin-2-6-local-file-inclusion-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Plugin/select-core/vulnerability/wordpress-select-core-plugin-2-6-local-file-inclusion-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/Wordpress/Plugin/select-core/vulnerability/wordpress-select-core-plugin-2-6-local-file-inclusion-vulnerability?_s_id=cve

Thu, 11 Dec 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 10 Dec 2025 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Select-themes Select-themes select Core Wordpress Wordpress wordpress
Vendors & Products		Select-themes Select-themes select Core Wordpress Wordpress wordpress

Tue, 09 Dec 2025 14:30:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Select Core select-core allows PHP Local File Inclusion.This issue affects Select Core: from n/a through < 2.6.
Title		WordPress Select Core plugin < 2.6 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://vdp.patchstack.com/database/Wordpress/Plugin/select-core/vulnerability/wordpress-select-core-plugin-2-6-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Select-themes Select Core

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-12-09T14:13:58.865Z

Updated: 2026-04-28T16:14:19.692Z

Reserved: 2025-12-09T12:20:54.763Z

Link: CVE-2025-67521

Vulnrichment

Updated: 2025-12-11T19:28:26.686Z

NVD

Status : Deferred

Published: 2025-12-09T16:18:25.540

Modified: 2026-04-27T18:16:40.690

Link: CVE-2025-67521

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T19:45:18Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object