CVE-2025-69058 - Vulnerability Details

- WordPress PartyMaker theme <= 1.1.15 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes PartyMaker partymaker allows PHP Local File Inclusion.This issue affects PartyMaker: from n/a through <= 1.1.15.

Published: 2026-01-22

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The CVE describes an improper control of filename for include/require statements in PHP code within the AncoraThemes PartyMaker WordPress theme. This flaw allows the theme to perform local file inclusion, enabling an attacker to read arbitrary files on the server. Such access could expose configuration data, credentials, or other sensitive information; in some cases it could also lead to execution of malicious code if the attacker can inject or control a local script. The weakness is identified as CWE‑98.

Affected Systems

The vulnerability affects the PartyMaker WordPress theme provided by AncoraThemes for all released versions up to and including 1.1.15. Earlier releases are also impacted, as the issue is not limited to a specific revision. No additional product details are provided, and the affected version range is n/a through <= 1.1.15.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity impact for potential attackers. However, the EPSS score is listed as < 1%, suggesting a very low current likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated web request to a page that includes a user‑supplied filename, allowing the attacker to supply a file path that resolves to an arbitrary local file. Successful exploitation would give the attacker read access to the filesystem and potentially a foothold for further attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AncoraThemes

PartyMaker

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.15

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the PartyMaker theme to a version newer than 1.1.15 to eliminate the local file inclusion flaw.
If an immediate update is not possible, uninstall the PartyMaker theme or switch to a different theme that is not vulnerable.
Configure the web application firewall or server to reject requests that contain path traversal characters (../, %, etc.) in parameters used by the theme’s include/require logic.

Generated by OpenCVE AI on April 29, 2026 at 10:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00066.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/partymaker/vulnerability/wordpress-partymaker-theme-1-1-15-local-file-inclusion-vulnerability?_s_id=cve

History

Thu, 29 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 28 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 23 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes PartyMaker partymaker allows PHP Local File Inclusion.This issue affects PartyMaker: from n/a through <= 1.1.15.
Title		WordPress PartyMaker theme <= 1.1.15 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/Wordpress/Theme/partymaker/vulnerability/wordpress-partymaker-theme-1-1-15-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-01-22T16:52:21.863Z

Updated: 2026-04-28T20:37:29.734Z

Reserved: 2025-12-29T11:18:59.801Z

Link: CVE-2025-69058

Vulnrichment

Updated: 2026-01-28T21:41:58.125Z

NVD

Status : Deferred

Published: 2026-01-22T17:16:19.520

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69058

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T10:30:09Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object