CVE-2025-67936 is a Local File Inclusion (LFI) vulnerability found in the Mikado-Themes Curly WordPress theme, affecting versions prior to 3.3. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements. This flaw allows an attacker to manipulate the input controlling which files are included by the PHP script, potentially leading to the inclusion of arbitrary local files on the server. Such an attack can expose sensitive configuration files, source code, or other data, and in some cases, it may enable remote code execution if combined with other vulnerabilities or misconfigurations. The vulnerability is classified as an improper control of filename for include/require statement, a common PHP security issue that can lead to Local File Inclusion. No CVSS score has been assigned yet, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in December 2025 and published in January 2026. The affected product, Curly, is a WordPress theme developed by Mikado-Themes, widely used in various websites. The lack of a patch link indicates that a fix may not yet be publicly available, emphasizing the need for immediate mitigation efforts by site administrators. The vulnerability does not require authentication or user interaction, increasing its risk profile. Attackers can exploit this remotely by sending crafted requests to vulnerable endpoints that include or require files based on user-supplied input. This vulnerability can compromise confidentiality by exposing sensitive files, integrity by allowing code injection, and availability if exploited to disrupt site functionality.

For European organizations, this vulnerability poses a significant risk to websites using the Mikado-Themes Curly theme, which may include corporate, governmental, and e-commerce sites. Exploitation can lead to unauthorized disclosure of sensitive data such as configuration files, credentials, or personal data protected under GDPR. This can result in regulatory penalties, reputational damage, and financial loss. Additionally, attackers may leverage the LFI to execute arbitrary code or pivot to other internal systems, increasing the attack surface. The vulnerability could disrupt website availability, impacting business operations and customer trust. Given the widespread use of WordPress and the popularity of Mikado-Themes in Europe, especially in countries with large digital economies, the threat is material. Organizations in sectors such as finance, healthcare, and public administration are particularly at risk due to the sensitivity of their data and regulatory requirements. The absence of known exploits currently provides a window for proactive defense, but the ease of exploitation and potential impact necessitate urgent attention.

1. Immediately upgrade the Mikado-Themes Curly theme to version 3.3 or later once the patch is released by the vendor. 2. Until an official patch is available, implement input validation and sanitization on all parameters controlling file inclusion to prevent arbitrary file paths. 3. Employ Web Application Firewalls (WAF) with rules specifically designed to detect and block Local File Inclusion attempts targeting the Curly theme. 4. Restrict PHP include paths and disable allow_url_include in PHP configuration to reduce the risk of remote file inclusion. 5. Conduct thorough code reviews and penetration testing focusing on file inclusion vectors within the theme and custom plugins. 6. Monitor web server and application logs for suspicious requests containing directory traversal patterns or unusual file inclusion attempts. 7. Backup website data regularly and maintain an incident response plan to quickly remediate any exploitation. 8. Educate site administrators and developers about secure coding practices related to file inclusion and parameter handling. 9. Consider isolating WordPress instances or running them in containers to limit the blast radius of any compromise. 10. Engage with Mikado-Themes support or community forums to stay informed about patches and mitigation best practices.