CVE-2025-68065 - Vulnerability Details

- WordPress Hub Core plugin <= 5.0.8 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.This issue affects Hub Core: from n/a through <= 5.0.8.

Published: 2025-12-16

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Hub Core plugin for WordPress and allows an attacker to control the filename used in a PHP include or require statement. This flaw, classified as CWE-98, can enable the reading or execution of arbitrary files on the server, which may lead to disclosure of sensitive data or execution of malicious code if a PHP file is read from a controlled or remote source.

Affected Systems

WordPress sites that have installed the LiquidThemes Hub Core plugin version 5.0.8 or earlier are affected. No specific minor version is listed beyond the upper bound of 5.0.8, and the issue applies to all installations from the initial release to that version.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact if the vulnerability is exploited. The EPSS score of less than 1% suggests a low probability of exploitation in the wild at this time, and the vulnerability is not currently catalogued in the CISA KEV list. The likely attack vector is web-based, where a remote attacker could supply a crafted request to induce the plugin to include a local or remote file and gain sensitive information or control over the site.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

LiquidThemes

Hub Core

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.0.8

No data.

Vendor	Product	Confidence	Versions
Liquidthemes	Hub	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Hub Core plugin to version 5.0.9 or later once the official patch is released
If an immediate upgrade is not possible, uninstall or disable the Hub Core plugin to eliminate the vulnerability
Configure a web application firewall to block LFI attempts, such as by rejecting requests containing suspicious path traversal sequences

Generated by OpenCVE AI on April 27, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0022.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/hub-core/vulnerability/wordpress-hub-core-plugin-5-0-8-local-file-inclusion-vulnerability?_s_id=cve

History

Mon, 27 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Plugin/hub-core/vulnerability/wordpress-hub-core-plugin-5-0-8-local-file-inclusion-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/Wordpress/Plugin/hub-core/vulnerability/wordpress-hub-core-plugin-5-0-8-local-file-inclusion-vulnerability?_s_id=cve

Tue, 16 Dec 2025 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Liquidthemes Liquidthemes hub Wordpress Wordpress wordpress
Vendors & Products		Liquidthemes Liquidthemes hub Wordpress Wordpress wordpress

Tue, 16 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 16 Dec 2025 08:30:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.This issue affects Hub Core: from n/a through <= 5.0.8.
Title		WordPress Hub Core plugin <= 5.0.8 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://vdp.patchstack.com/database/Wordpress/Plugin/hub-core/vulnerability/wordpress-hub-core-plugin-5-0-8-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Liquidthemes Hub

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-12-16T08:13:01.354Z

Updated: 2026-04-28T16:14:28.031Z

Reserved: 2025-12-15T10:01:19.544Z

Link: CVE-2025-68065

Vulnrichment

Updated: 2025-12-16T16:10:28.643Z

NVD

Status : Deferred

Published: 2025-12-16T09:16:01.743

Modified: 2026-04-27T19:16:24.420

Link: CVE-2025-68065

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-27T22:30:14Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object