CVE-2025-69049 - Vulnerability Details

- WordPress Töbel theme <= 1.6 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Töbel tobel allows PHP Local File Inclusion.This issue affects Töbel: from n/a through <= 1.6.

Published: 2026-01-22

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Töbel theme implements a file inclusion mechanism that does not properly sanitize the filename supplied to PHP's include/require statements. This flaw, classified as CWE‑98, lets an attacker supply an arbitrary local file path, enabling the read of sensitive files from the server or the execution of arbitrary PHP code if the attacker can place malicious files in a writable directory.

Affected Systems

The vulnerability is present in the Töbel theme version 1.6 and earlier. The affected product is Elated‑Themes Töbel for WordPress. No specific sub‑versions are distinguished – any installation of 1.6 or lower is affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, indicating high severity. The EPSS score of less than 1% suggests a low probability of exploitation at the time of scoring, and the issue is not listed in the CISA KEV catalog. The attack vector is likely remote via a web request that can invoke the vulnerable include, since the flaw is within a WordPress theme accessed over HTTP. An attacker with sufficient privileges could exploit this to read configuration files or execute PHP code, potentially taking control of the affected WordPress site.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Elated-Themes

Töbel

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.6

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Töbel theme to version 1.7 or newer, where the file inclusion flaw has been fixed.
If an immediate upgrade is not possible, locate the source file that performs the insecure include/require and modify it to use a whitelist of allowed files or remove the function entirely.
Harden file and directory permissions by ensuring that directories containing WordPress core files are not writable by web users and that sensitive files such as wp-config.php are protected from web access.

Generated by OpenCVE AI on April 29, 2026 at 10:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00403.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/tobel/vulnerability/wordpress-toebel-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve

History

Thu, 29 Jan 2026 01:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 27 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 23 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Töbel tobel allows PHP Local File Inclusion.This issue affects Töbel: from n/a through <= 1.6.
Title		WordPress Töbel theme <= 1.6 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/Wordpress/Theme/tobel/vulnerability/wordpress-toebel-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-01-22T16:52:19.830Z

Updated: 2026-04-28T20:35:57.560Z

Reserved: 2025-12-29T11:18:51.165Z

Link: CVE-2025-69049

Vulnrichment

Updated: 2026-01-27T15:38:27.454Z

NVD

Status : Deferred

Published: 2026-01-22T17:16:18.310

Modified: 2026-06-17T10:00:08.783

Link: CVE-2025-69049

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T10:45:09Z

Weaknesses

CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object