CVE-2025-58707: PHP Local File Inclusion in Axiomthemes Spin 1.8
CVE-2025-58707 is a file inclusion vulnerability in Axiomthemes Spin that allows attackers to include and execute arbitrary local files on the server. By manipulating input parameters, an unauthenticated attacker can reference files outside the intended directory, potentially exposing sensitive data or executing malicious code. The vulnerability affects Spin versions up through 1.8 and carries a CVSS score of 8.1, reflecting its severity.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-98
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Spin allows PHP Local File Inclusion. This issue affects Spin: from n/a through 1.8.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability is classified as an improper control of filename for include/require statements (CWE-98), commonly known as PHP Local File Inclusion (LFI). The Spin application fails to properly validate or sanitize user-supplied input before using it in PHP include or require operations. An attacker with network access can craft requests that traverse the directory structure, causing the server to load and execute arbitrary local files. The attack requires no authentication and no user interaction, though successful exploitation depends on specific server configuration conditions (indicated by the CVSS Access Complexity of High).
Business impact
Successful exploitation could allow attackers to read sensitive configuration files containing database credentials, API keys, and other secrets. They may also execute PHP code with the privileges of the web server process, potentially leading to complete application compromise, lateral movement into backend systems, or data exfiltration. Organizations running vulnerable Spin installations face elevated risk of unauthorized access and data breach.
Affected systems
Axiomthemes Spin is affected in all versions from the initial release through version 1.8. Organizations using this theme or plugin should audit their installations immediately to determine if they are running an affected version. The vulnerability affects any web server hosting Spin with PHP enabled.
Exploitability
The vulnerability is exploitable remotely over the network without requiring authentication, credentials, or user interaction. The CVSS Access Complexity rating of High suggests that successful exploitation depends on environmental factors—such as specific server configurations, file permissions, or wrapper availability—that are not universally present. However, these conditions are common enough that the vulnerability should be treated as practically exploitable in many deployments.
Remediation
Upgrade Axiomthemes Spin to a patched version beyond 1.8 immediately. Verify the fix against the official Axiomthemes advisory to confirm the specific version that resolves this issue. If an immediate upgrade is not feasible, implement strict input validation and filename whitelisting for all include/require operations, restrict PHP's allow_url_include and allow_url_fopen directives to false in php.ini, and enforce least-privilege file permissions on the server.
Patch guidance
Contact Axiomthemes or check their official website for available security updates addressing CVE-2025-58707. Apply the patch to all production and staging environments running Spin. Test thoroughly in a non-production environment before deployment to ensure compatibility with your existing customizations and plugins.
Detection guidance
Monitor web server logs for suspicious include/require patterns in request parameters, such as attempts to access ../config.php, /etc/passwd, or other traversal indicators. Deploy a Web Application Firewall (WAF) rule set to block requests containing common LFI payloads. Use file integrity monitoring to detect unauthorized changes to PHP files. Check for unexpected file access patterns in PHP error logs. Conduct a code review of custom modifications to Spin to identify similar vulnerabilities.
Why prioritize this
This vulnerability warrants high priority due to its CVSS score of 8.1, the lack of authentication or user interaction requirements, and its potential to expose critical secrets and enable code execution. Although the CVSS Access Complexity of High indicates some environmental constraints, the attack surface is broad enough that many organizations are likely at risk. The fact that it is not yet on the KEV catalog should not delay patching—organizations should treat it as urgent regardless.
Risk score, explained
The CVSS 3.1 score of 8.1 (HIGH) reflects a network-exploitable vulnerability with no authentication requirement, high confidentiality and integrity impact (reading and potentially modifying files), and high availability impact (potential for denial of service through file access or code execution). The High Access Complexity acknowledges that successful exploitation may depend on specific server configurations, but this does not substantially reduce the overall risk profile given the prevalence of vulnerable configurations in the wild.
Frequently asked questions
What versions of Spin are affected?
All versions of Axiomthemes Spin from the initial release through version 1.8 are affected. If your installation is running version 1.8 or earlier, it is vulnerable. Check your Spin version in the theme or plugin settings and upgrade immediately if you are at or below version 1.8.
Do I need to be authenticated to exploit this vulnerability?
No. The vulnerability is exploitable by unauthenticated attackers over the network. An attacker does not need valid credentials, user account access, or permission to interact with your site in any special way to attempt exploitation.
Is there a public exploit available?
This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, which tracks vulnerabilities actively exploited in the wild. However, the absence from the KEV catalog does not guarantee safety; threat actors may exploit it privately or limited disclosure may exist. Treat this as an urgent patch regardless.
Can I mitigate this without upgrading?
Partial mitigation is possible through defense-in-depth measures: disable URL-based file inclusion in php.ini (set allow_url_include = Off and allow_url_fopen = Off), apply strict file permissions, use a WAF to block LFI payloads, and monitor logs for suspicious activity. However, these are temporary measures only. A proper patch upgrade is required to fully resolve the vulnerability.
This analysis is based on the vulnerability description, CVSS assessment, and CWE classification provided in the source data. SEC.co does not provide exploit code or weaponized proof-of-concept instructions. Organizations should verify patch availability and compatibility with their environments before deployment. This document is for informational purposes and does not constitute legal, compliance, or professional security advice. Consult your security team and vendor documentation for definitive guidance on your specific deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-53440HIGHAxiomthemes Confidant PHP Local File Inclusion (LFI) Vulnerability – CVSS 8.1 HIGH
- CVE-2025-58024HIGHUnboundStudio Accordion FAQ Local File Inclusion Vulnerability – CVSS 7.5 HIGH
- CVE-2025-58705HIGHCrafti PHP Local File Inclusion (LFI) Vulnerability – Patch Guide
- CVE-2025-58897HIGHAxiomthemes Fermentio PHP Local File Inclusion Vulnerability (CVSS 8.1)
- CVE-2025-68886HIGHandroThemes Cookiteer PHP Local File Inclusion Vulnerability – CVSS 8.1
- CVE-2025-69369HIGHAxiomthemes Racquet File Inclusion Vulnerability (CVSS 8.1)
- CVE-2026-37266HIGHResponsive File Manager 9.14.0 Remote Code Execution via force_download.php
- CVE-2026-39552HIGHPHP Local File Inclusion in Code Supply Co. Blueprint – Patch Guidance