CVE-2025-68067 is a Local File Inclusion (LFI) vulnerability found in the Select-Themes Stockholm Core WordPress theme, specifically in versions up to 2.4.6. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input to include arbitrary files from the server's filesystem. This can lead to sensitive information disclosure, such as configuration files, password files, or application source code. In some cases, LFI can be escalated to remote code execution if the attacker can include files containing malicious code or leverage log poisoning techniques. The vulnerability does not require authentication or user interaction, making it easier to exploit remotely. Although no public exploits have been reported yet, the nature of the vulnerability and the widespread use of the Stockholm Core theme in WordPress sites make it a significant risk. The lack of a CVSS score indicates the need for a manual severity assessment. The vulnerability was published on December 16, 2025, and no official patches or mitigation links have been provided at this time. The issue is critical for websites relying on this theme, especially those handling sensitive user data or financial transactions.

For European organizations, exploitation of CVE-2025-68067 could lead to unauthorized disclosure of sensitive data, including user credentials, personal information, and internal configuration files. This compromises confidentiality and may facilitate further attacks such as privilege escalation or remote code execution. The integrity of web applications could be undermined, leading to defacement or insertion of malicious content, damaging brand reputation and customer trust. Availability could also be affected if attackers disrupt services or cause application crashes. Organizations in sectors such as e-commerce, finance, healthcare, and government are particularly vulnerable due to the sensitive nature of their data and regulatory requirements like GDPR. The ease of exploitation without authentication increases the risk of widespread automated attacks targeting vulnerable WordPress installations across Europe.

Organizations should immediately audit their WordPress sites to identify installations using the Stockholm Core theme version 2.4.6 or earlier. Until an official patch is released, implement strict input validation and sanitization on any parameters used in include or require statements to prevent arbitrary file inclusion. Employ web application firewalls (WAFs) with rules targeting LFI attack patterns to block malicious requests. Restrict PHP file inclusion paths using configuration directives such as open_basedir to limit accessible directories. Regularly monitor logs for suspicious activity indicative of LFI attempts. Consider isolating vulnerable web applications in segmented network zones to reduce lateral movement risk. Once a patch becomes available from Select-Themes, apply it promptly. Additionally, maintain updated backups and conduct penetration testing to verify the effectiveness of mitigations.