PHP Remote File Inclusion Vulnerability in Mikado-Themes Curly Theme
CVE-2025-67936

8.1HIGH

Key Information:

Vendor: WordPress
Status: Curly
Vendor: CVE Published:; 8 January 2026

What is CVE-2025-67936?

The Mikado-Themes Curly theme is vulnerable due to improper control of filenames in PHP include/require statements. This flaw allows for PHP Local File Inclusion, enabling an attacker to exploit the system by including files on the server. It is critical for users of the Curly theme, especially versions below 3.3, to be aware of this vulnerability and take necessary action to safeguard their installations.

Affected Version(s)

Curly <= n/a

References

https://vdp.patchstack.com/database/Wordpress/Theme/curly...

vdb-entry

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 8, 2026
Vulnerability Reserved
Dec 15, 2025

Credit

Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program

JSON

WordPress

What is CVE-2025-67936?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit