Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core allows PHP Local File Inclusion.

This issue affects Hub Core: from n/a before 6.0.2.
Published: 2025-12-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Hub Core plugin for WordPress and results from improper control of the filename used in a PHP include or require statement. Classified as CWE-98, this flaw permits an attacker to read or execute arbitrary local files on the server. The effect may include disclosure of sensitive data or execution of malicious code if a PHP file is included from a crafted request.

Affected Systems

WordPress sites that have installed the LiquidThemes Hub Core plugin version 5.0.8 or earlier are affected. No specific minor version is listed beyond the upper bound of 5.0.8, and the issue applies to all installations from the initial release to that version.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact if the vulnerability is exploited. The EPSS score of less than 1% suggests a low probability of exploitation in the wild at this time, and the vulnerability is not currently catalogued in the CISA KEV list. Based on the description, it is inferred that the likely attack vector is web-based, where a remote attacker could supply a crafted request to induce the plugin to include a local or remote file and gain sensitive information or control over the site.

Generated by OpenCVE AI on May 20, 2026 at 11:50 UTC.

Remediation

Vendor Solution

Update the WordPress Hub Core plugin to the latest available version (at least 6.0.2).

OpenCVE Recommended Actions

  • Upgrade the Hub Core plugin to at least version 6.0.2 to apply the official fix
  • If an immediate upgrade is not possible, uninstall or disable the Hub Core plugin to eliminate the vulnerability
  • Configure a web application firewall to block LFI attempts, such as by rejecting requests containing suspicious path traversal sequences

Generated by OpenCVE AI on May 20, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 10:30:00 +0000

Type Values Removed Values Added
References

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.This issue affects Hub Core: from n/a through <= 5.0.8. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core allows PHP Local File Inclusion. This issue affects Hub Core: from n/a before 6.0.2.
Title WordPress Hub Core plugin <= 5.0.8 - Local File Inclusion vulnerability WordPress Hub Core plugin < 6.0.2 - Local File Inclusion vulnerability
References

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Liquidthemes
Liquidthemes hub
Wordpress
Wordpress wordpress
Vendors & Products Liquidthemes
Liquidthemes hub
Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.This issue affects Hub Core: from n/a through <= 5.0.8.
Title WordPress Hub Core plugin <= 5.0.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Liquidthemes Hub
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-20T09:18:57.916Z

Reserved: 2025-12-15T10:01:19.544Z

Link: CVE-2025-68065

cve-icon Vulnrichment

Updated: 2025-12-16T16:10:28.643Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:16:01.743

Modified: 2026-05-20T10:16:26.137

Link: CVE-2025-68065

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T12:00:12Z

Weaknesses