CVE-2025-68886

Vulnerability

An Improper Control of Filename for Include/Require Statement in PHP vulnerability, specifically PHP Remote File Inclusion, exists in the androThemes Cookiteer WordPress theme. This vulnerability allows for PHP Local File Inclusion. It affects Cookiteer versions from n/a through 1.4.8 [1].

Exploitation

An attacker can exploit this vulnerability by including local files of the target website. The exact steps required for exploitation are not detailed in the available references, but it is expected to be used in mass-exploit campaigns [1].

Impact

Successful exploitation allows a malicious actor to include local files and display their output. This could lead to the disclosure of sensitive information, such as database credentials, potentially enabling a complete database takeover depending on the server configuration [1].

Mitigation

Users should update the Cookiteer theme to a version later than 1.4.8. If an immediate update is not possible, users are advised to seek assistance from their hosting provider or web developer. No specific fixed version is mentioned, but updating is the recommended action [1].