VYPR
← All advisories
High severity8.1NVD Advisory· Published Jun 2, 2026· Updated Jun 2, 2026

CVE-2025-58705

CVE-2025-58705

Description

PHP Local File Inclusion in Axiomthemes Crafti theme (<=1.12) allows attackers to disclose sensitive files and potentially take over databases.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

PHP Local File Inclusion in Axiomthemes Crafti theme (<=1.12) allows attackers to disclose sensitive files and potentially take over databases.

Vulnerability

An Improper Control of Filename for Include/Require Statement vulnerability in Axiomthemes Crafti theme allows for PHP Local File Inclusion. This issue affects Crafti versions from n/a through 1.12 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious request to include local files from the target website. This requires the attacker to have the ability to send requests to the vulnerable application. No other specific conditions or user interaction are mentioned in the available references [1].

Impact

Successful exploitation allows a malicious actor to include local files and display their content. This could lead to the disclosure of sensitive information, such as database credentials, potentially enabling a complete database takeover depending on the server configuration [1].

Mitigation

Crafti theme versions up to and including 1.12 are affected. Updating to a patched version is the recommended immediate action. If an update is not immediately possible, users should seek assistance from their hosting provider or web developer. The specific patched version and release date are not yet disclosed in the available references [1].

References
  1. Local File Inclusion in WordPress Crafti Theme

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

1