HIGH 8.1

CVE-2025-58897: Axiomthemes Fermentio PHP Local File Inclusion Vulnerability (CVSS 8.1)

Axiomthemes Fermentio contains a vulnerability that allows attackers to include and execute arbitrary PHP files from the local server, potentially leading to unauthorized access, data theft, or system compromise. The vulnerability stems from insufficient validation of filenames used in PHP include/require statements, enabling attackers to manipulate file paths without authentication. Versions up to and including 1.5.0 are affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-98
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Fermentio allows PHP Local File Inclusion. This issue affects Fermentio: from n/a through 1.5.0.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-58897 is a PHP Local File Inclusion (LFI) vulnerability classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The flaw allows remote attackers to craft requests that cause the application to include arbitrary local files via unsanitized filename parameters passed to PHP's include() or require() functions. While the CVE description references remote file inclusion vectors, the confirmed attack surface is local file inclusion. The vulnerability requires no authentication and no user interaction, though exploitation may depend on specific application context. The CVSS 3.1 score of 8.1 (HIGH) reflects potential confidentiality, integrity, and availability impacts.

Business impact

Successful exploitation could enable attackers to read sensitive configuration files containing database credentials, API keys, and application secrets. In scenarios where writable directories are accessible, attackers might achieve remote code execution by including malicious PHP files uploaded through secondary vectors. The risk extends to unauthorized data access, privilege escalation, and potential lateral movement within infrastructure if Fermentio integrates with backend systems.

Affected systems

Axiomthemes Fermentio versions through 1.5.0 are vulnerable. Organizations should audit all installations of this theme/plugin, particularly those exposed to untrusted networks. The vulnerability affects web applications built on Fermentio regardless of hosting environment—shared, VPS, or dedicated.

Exploitability

Exploitation requires network access but no authentication or user interaction. An attacker needs knowledge of internal file paths or common Linux/Windows directory structures on the target server. The relatively high CVSS score (8.1) reflects the low barrier to attack execution. However, successful exploitation depends on application-specific configurations; not all instances may be equally vulnerable if include paths are restricted or input validation exists at higher application layers. The vulnerability is not currently tracked on the CISA Known Exploited Vulnerabilities list.

Remediation

Immediately upgrade Fermentio to a patched version released after 1.5.0—verify the exact version number in the Axiomthemes security advisory or vendor documentation. If an update is unavailable, implement temporary mitigations: restrict PHP's include_path directive to specific safe directories, disable dynamic file inclusion where possible, and enforce strict input validation on all parameters used in include/require statements. Review application logs for suspicious include attempts using patterns containing '../' or absolute paths.

Patch guidance

Check the Axiomthemes official website or security advisory for patched versions beyond 1.5.0. Apply patches in a staging environment first to validate compatibility with existing configurations and extensions. After patching, verify that include/require functionality behaves as expected by testing core theme features. Document the patching timestamp and version for audit compliance.

Detection guidance

Monitor web server and application logs for HTTP requests containing file path traversal sequences (../, ..\ , or encoded variants) in parameters commonly passed to includes. Search for access attempts to sensitive files like wp-config.php, .env, database configuration files, or /etc/passwd. Deploy Web Application Firewall (WAF) rules to block requests with filename parameters containing directory traversal indicators. Endpoint Detection and Response (EDR) tools should flag unexpected PHP include operations sourcing files from user-controlled locations.

Why prioritize this

Although not on the KEV list, this vulnerability should be prioritized due to its high CVSS score (8.1), network exploitability, lack of authentication requirement, and potential for data exfiltration and code execution. Organizations running Fermentio should treat this as urgent, especially if the application handles sensitive data or is internet-facing.

Risk score, explained

The CVSS 3.1 score of 8.1 (HIGH) reflects: Network Attack Vector (AV:N) requiring no authentication (PR:N) or user interaction (UI:N), High confidentiality impact (reading local files), High integrity impact (potential for code execution if upload/write capabilities exist), High availability impact (resource exhaustion or service disruption). The Attack Complexity is High (AC:H), suggesting exploitation requires specific conditions or knowledge, which slightly tempers the score but does not reduce the practical risk significantly.

Frequently asked questions

Does this vulnerability require authentication to exploit?

No. The vulnerability is exploitable by remote unauthenticated attackers with network access to the affected Fermentio installation.

Can this vulnerability lead to remote code execution?

Local File Inclusion (LFI) can enable code execution if the attacker can write executable PHP files to the server (via another vulnerability or misconfiguration) or if log files containing attacker-controlled content are included. The primary impact is confidentiality through sensitive file disclosure, but secondary exploitation paths to RCE may exist depending on server configuration.

What versions of Fermentio are affected?

Fermentio versions up to and including 1.5.0 are vulnerable. Verify the exact patched version from Axiomthemes' official security advisory before upgrading.

Should I wait for the KEV list to add this before prioritizing remediation?

No. CISA KEV listing is typically reserved for vulnerabilities with active public exploitation. This vulnerability's HIGH CVSS score and ease of exploitation warrant immediate patching regardless of KEV status. Treat it as business-critical in your patch management workflow.

This analysis is based on publicly available CVE information current as of the publication date. Specific patch version numbers and availability should be verified directly with Axiomthemes or the vendor security advisory. The technical details are provided for defensive and remediation purposes. Unauthorized access to computer systems is illegal. Always validate findings in your environment and follow your organization's change management procedures before applying patches. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).