CVE-2025-68886: androThemes Cookiteer PHP Local File Inclusion Vulnerability – CVSS 8.1
A vulnerability in androThemes Cookiteer plugin allows an attacker to include and execute arbitrary local files through improper input handling in PHP include/require statements. While the vulnerability is classified as a Local File Inclusion (LFI) rather than true Remote File Inclusion, the network-accessible nature of web plugins means an unauthenticated attacker can exploit this remotely to read sensitive files or potentially execute code, depending on file availability and server configuration. All versions through 1.4.8 are affected.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-98
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in androThemes Cookiteer allows PHP Local File Inclusion. This issue affects Cookiteer: from n/a through 1.4.8.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-68886 is a PHP Local File Inclusion vulnerability stemming from CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The androThemes Cookiteer plugin fails to properly sanitize or validate file path parameters passed to PHP include() or require() functions, enabling an attacker to traverse the file system and load arbitrary files. The CVSS 3.1 score of 8.1 (HIGH) reflects high confidentiality, integrity, and high availability impact with network accessibility but high attack complexity, indicating the exploit requires specific conditions or knowledge of target file locations but no authentication.
Business impact
Exploitation could lead to unauthorized disclosure of sensitive application data, configuration files containing credentials, or database connection strings. In scenarios where writable files or log injection is possible, attackers may achieve remote code execution, leading to full application compromise, lateral movement within the infrastructure, and potential data exfiltration. Organizations running Cookiteer should assume their sites are at elevated risk of reconnaissance and potential takeover.
Affected systems
androThemes Cookiteer version 1.4.8 and all prior versions are vulnerable. The plugin is typically deployed in WordPress or similar PHP-based CMS environments. Organizations should inventory all installations, including development, staging, and production environments, as the plugin may be disabled but still present on disk.
Exploitability
The vulnerability is network-exploitable without authentication, but requires high attack complexity (CVSS:3.1/AV:N/AC:H). This suggests the attacker must either know or guess valid file paths on the target system or leverage information disclosure to discover them. Exploitation difficulty is moderate rather than trivial, but the lack of any authentication barrier and the prevalence of predictable file structures in PHP applications (e.g., wp-config.php, .env files) means this should not be underestimated in real-world scenarios.
Remediation
Immediately update androThemes Cookiteer to a patched version beyond 1.4.8. If an update is unavailable, disable and remove the plugin from all environments. Apply input validation and sanitization to any file-path parameters; use allowlists of permitted files rather than blacklists. Additionally, harden file system permissions to prevent access to sensitive configuration files and implement web application firewalls to detect directory traversal patterns.
Patch guidance
Verify the latest version of Cookiteer against the vendor's official repository and security advisories. Apply patches in a staged manner: test in a non-production environment first, document the deployment, and monitor application logs for any anomalies post-update. If the vendor has not released a patch by your assessment date, contact androThemes directly and consider the removal option as an interim protective measure.
Detection guidance
Monitor web server and application logs for suspicious file path patterns in URL parameters or POST data (e.g., ../, ../../, absolute paths to /etc/passwd or /var/www/.env). Check for unexpected file includes from atypical directories. Implement file integrity monitoring on sensitive configuration files to detect unauthorized read access. Search plugin directories and active plugin lists to identify all Cookiteer installations and their versions.
Why prioritize this
Despite being rated HIGH (8.1) rather than CRITICAL, this vulnerability warrants urgent action because it affects a web-accessible plugin with no authentication requirement, provides a direct path to sensitive data disclosure, and in many hosting environments could facilitate code execution. The attack complexity moderately reduces priority but does not eliminate it—real-world exploitation is plausible and should be treated as imminent in vulnerability management workflows.
Risk score, explained
CVSS 3.1 score of 8.1 (HIGH) reflects: Attack Vector Network (user-facing web interface), high Confidentiality and Integrity impact (files can be read or potentially manipulated), high Availability impact (service disruption possible if critical files are compromised), no privileges required, and no user interaction needed. Attack Complexity is rated High, acknowledging that successful exploitation requires knowledge of or ability to discover valid file paths, preventing an automatic 'CRITICAL' rating. However, in practice, many file paths in PHP applications are predictable or discoverable through other reconnaissance.
Frequently asked questions
Is this vulnerability actively exploited in the wild?
CVE-2025-68886 is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. However, LFI vulnerabilities are commonly chained with other flaws or used for reconnaissance. The lack of KEV status does not mean exploitation is unlikely—monitor threat intelligence feeds and your own logs closely.
Can this vulnerability lead to remote code execution?
Direct remote code execution depends on file system state and permissions. If the server has writable directories accessible to the web process, or if log files can be injected and later included, RCE may be possible. Even without direct RCE, confidentiality breaches from reading configuration files or private keys pose severe risk.
What if we have Cookiteer installed but disabled?
A disabled plugin may still be vulnerable if the underlying code is present on disk and the web server can still route requests to its handlers. Disabling is not sufficient; the plugin should be removed entirely or the application updated to a patched version. Verify removal by checking the plugin directory and active plugin registries.
Do we need to patch immediately, or can we wait for a maintenance window?
Given the HIGH severity, no authentication requirement, and ease of reconnaissance, this should be treated as a critical item for your next available maintenance window—ideally within days, not weeks. The attack complexity is not so high as to guarantee you are safe during a 30-day window. If you cannot patch immediately, remove the plugin and block known attack patterns at the WAF.
This analysis is provided for informational purposes and represents our assessment based on available data as of the publication date. Vendors, patch availability, and threat landscape evolve rapidly. Organizations should verify all technical claims and version information directly against official vendor advisories and security bulletins before taking remediation actions. Patch testing should always occur in isolated, non-production environments first. SEC.co and its analysts bear no liability for decisions made in reliance on this intelligence. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-53440HIGHAxiomthemes Confidant PHP Local File Inclusion (LFI) Vulnerability – CVSS 8.1 HIGH
- CVE-2025-58024HIGHUnboundStudio Accordion FAQ Local File Inclusion Vulnerability – CVSS 7.5 HIGH
- CVE-2025-58705HIGHCrafti PHP Local File Inclusion (LFI) Vulnerability – Patch Guide
- CVE-2025-58707HIGHPHP Local File Inclusion in Axiomthemes Spin 1.8
- CVE-2025-58897HIGHAxiomthemes Fermentio PHP Local File Inclusion Vulnerability (CVSS 8.1)
- CVE-2025-69369HIGHAxiomthemes Racquet File Inclusion Vulnerability (CVSS 8.1)
- CVE-2026-37266HIGHResponsive File Manager 9.14.0 Remote Code Execution via force_download.php
- CVE-2026-39552HIGHPHP Local File Inclusion in Code Supply Co. Blueprint – Patch Guidance