CVE-2025-58705: Crafti PHP Local File Inclusion (LFI) Vulnerability – Patch Guide
CVE-2025-58705 is a PHP Local File Inclusion (LFI) vulnerability in Axiomthemes Crafti through version 1.12. An attacker can exploit improper filename validation in PHP include/require statements to include and execute arbitrary local files on the server. This allows remote code execution without authentication, making it a critical risk for any organization running vulnerable Crafti installations. The vulnerability has a CVSS 3.1 score of 8.1 (HIGH severity) with network accessibility and high impact across confidentiality, integrity, and availability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-98
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Crafti allows PHP Local File Inclusion. This issue affects Crafti: from n/a through 1.12.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), which reflects inadequate input validation on file paths used in PHP's include() or require() directives. An unauthenticated remote attacker can manipulate input parameters to point include/require statements toward arbitrary files on the server filesystem. While the description notes this as a PHP Remote File Inclusion (RFI) risk, the primary impact is Local File Inclusion (LFI)—allowing attackers to read sensitive configuration files, source code, logs, or other local files; or to chain the LFI with local file upload/log poisoning techniques to achieve code execution. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates network-based attack with high complexity, requiring no privileges or user interaction, but delivering high impact on all three security properties.
Business impact
Organizations using Crafti risk unauthorized access to sensitive data stored on affected servers, including database credentials, API keys, customer information, and proprietary code. An attacker could also modify or delete files, or execute arbitrary code to establish persistence, pivot to adjacent systems, or deploy malware. For SaaS or managed hosting providers, a single compromised Crafti instance could expose multiple client environments. The CVSS 8.1 score reflects that while exploitation requires some technical sophistication (high complexity), the blast radius is severe once successful.
Affected systems
All Axiomthemes Crafti installations from the earliest tracked version through 1.12 are affected. Organizations should inventory all Crafti deployments immediately to determine exposure. Crafti is a WordPress theme/plugin framework; vulnerable instances are typically web-facing WordPress sites. The vulnerability is not limited to a specific hosting environment—it affects self-hosted, managed, and cloud-based WordPress deployments equally.
Exploitability
The vulnerability requires network access but no prior authentication or user interaction. However, the CVSS 'High Complexity' rating suggests that successful exploitation depends on factors such as server configuration, PHP settings (e.g., allow_url_include directives), or knowledge of the exact vulnerable parameter and valid file paths. This does not mean the vulnerability is obscure; it means an attacker must understand the target's filesystem structure or try multiple techniques. Public information about Crafti's architecture or any disclosed proof-of-concept would significantly lower the barrier to exploitation. The lack of KEV (Known Exploited Vulnerability) status does not imply the vulnerability is unexploited in the wild.
Remediation
Immediate action: Update Axiomthemes Crafti to a version newer than 1.12 as soon as vendor patches become available. Until a patch is released, implement compensating controls such as Web Application Firewall (WAF) rules to block requests with suspicious include/require parameters, restrict PHP's allow_url_include and allow_url_fopen settings to false, and limit filesystem permissions so the web server process cannot read sensitive files. Review server logs for signs of exploitation (unusual include/require requests, file access patterns). If a patch version is available, verify it against the official Axiomthemes security advisory before deployment.
Patch guidance
Check the Axiomthemes website and security advisories for a patched release newer than version 1.12. Apply patches in a staging environment first to validate compatibility with your WordPress configuration, plugins, and themes. Monitor Crafti's release notes and security mailing list for announcements. If using WordPress plugin/theme auto-update mechanisms, ensure they are enabled to minimize time between patch availability and deployment. After patching, verify the fix by reviewing the code changes and testing that include/require statements now properly validate and sanitize file paths.
Detection guidance
Search web server logs for HTTP requests containing suspicious parameters (e.g., file paths, null bytes, directory traversal sequences like ../, or protocol handlers like file://) targeting known or guessed Crafti endpoints. Look for PHP errors or warnings related to include/require failures in server error logs. Implement WAF rules to detect and block common LFI patterns (e.g., requests containing file path indicators). Use file integrity monitoring to alert on unauthorized reads of sensitive files (e.g., wp-config.php, .htaccess). Network IDS/IPS signatures may be available from threat intelligence feeds once public exploit details emerge. Scanner tools like Burp Suite, Acunetix, or OWASP ZAP can help identify vulnerable parameters in Crafti installations.
Why prioritize this
This vulnerability scores 8.1 (HIGH) and should be treated as urgent. It requires no authentication, is network-accessible, and grants an attacker read/write/execute capabilities on the server. While AC:H (High Complexity) indicates some exploitation hurdle, the impact—full server compromise—justifies immediate patching. Organizations should prioritize this above lower-severity issues. If you operate public-facing WordPress sites using Crafti, treat this as a critical security incident until patched.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects: AV:N (Network—attacker needs only network access); AC:H (High Complexity—some technical know-how or reconnaissance required); PR:N (No privileges—unauthenticated attackers can attempt exploitation); UI:N (No user interaction needed); S:U (Scope Unchanged—impact is limited to the vulnerable component); C:H, I:H, A:H (High impact on all three security pillars—confidentiality, integrity, and availability are all compromised). The HIGH severity rating is justified given the combination of remote, unauthenticated attack surface and severe impact. The AC:H rating prevents a CRITICAL score, but this should not be underestimated.
Frequently asked questions
What versions of Crafti are vulnerable?
Axiomthemes Crafti versions up to and including 1.12 are affected. Verify your installed version via the WordPress admin dashboard (Appearance > Themes or Plugins, depending on how Crafti is deployed). Once a patched version is released by Axiomthemes, update immediately.
Do I need to have Crafti publicly exposed to be at risk?
Yes, the vulnerability is exploitable remotely over the network without authentication. If your WordPress site runs Crafti and is accessible via the internet, it is exposed. Even if Crafti is not the main theme, if it is active or installed as a plugin framework, it poses risk.
What should I do if I cannot patch immediately?
Apply compensating controls: (1) Use a Web Application Firewall to block requests with file path traversal patterns; (2) Disable PHP's allow_url_include and allow_url_fopen directives in php.ini; (3) Restrict filesystem permissions so the web server user cannot read sensitive files; (4) Monitor logs for exploitation attempts; (5) Consider taking the affected site offline until a patch is available.
Is there a public exploit for this vulnerability?
As of the last update, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, which does not confirm whether exploits exist in the wild. Monitor security research publications, vendor advisories, and threat intelligence feeds. Assume exploits may appear or be in private use, regardless of public disclosure status.
This analysis is for informational purposes and does not constitute legal, security, or professional advice. Organizations must verify all technical details, patch versions, and vendor guidance against official Axiomthemes advisories and their own environment. No exploit code or weaponized proof-of-concept is provided herein. Exploitation of vulnerabilities without proper authorization is illegal. SEC.co and this analysis assume no liability for misuse or damages resulting from reliance on this information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-53440HIGHAxiomthemes Confidant PHP Local File Inclusion (LFI) Vulnerability – CVSS 8.1 HIGH
- CVE-2025-58024HIGHUnboundStudio Accordion FAQ Local File Inclusion Vulnerability – CVSS 7.5 HIGH
- CVE-2025-58707HIGHPHP Local File Inclusion in Axiomthemes Spin 1.8
- CVE-2025-58897HIGHAxiomthemes Fermentio PHP Local File Inclusion Vulnerability (CVSS 8.1)
- CVE-2025-68886HIGHandroThemes Cookiteer PHP Local File Inclusion Vulnerability – CVSS 8.1
- CVE-2025-69369HIGHAxiomthemes Racquet File Inclusion Vulnerability (CVSS 8.1)
- CVE-2026-37266HIGHResponsive File Manager 9.14.0 Remote Code Execution via force_download.php
- CVE-2026-39552HIGHPHP Local File Inclusion in Code Supply Co. Blueprint – Patch Guidance