PatchSiren cyber security CVE debrief
CVE-2025-68065 LiquidThemes CVE debrief
CVE-2025-68065 is a high-severity PHP local file inclusion issue in Hub Core, affecting versions before 6.0.2. The published record describes improper control of a filename used in an include/require path, with NVD classifying the weakness as CWE-98. Site owners should treat this as a serious exposure risk for unpatched WordPress installations running the plugin.
- Vendor
- LiquidThemes
- Product
- Hub Core
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-16
- Original CVE updated
- 2026-05-20
- Advisory published
- 2025-12-16
- Advisory updated
- 2026-05-20
Who should care
Administrators and security teams responsible for WordPress sites running Hub Core before 6.0.2, especially Internet-facing sites, managed hosting providers, and anyone who has not yet verified the plugin version in production.
Technical summary
The supplied record states that Hub Core is affected by an improper control of filename issue in a PHP include/require context, resulting in PHP local file inclusion. The advisory scope is Hub Core versions before 6.0.2. NVD lists the CVSS v3.1 vector as AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H with a score of 7.5 (High), and associates the issue with CWE-98. The record does not provide a weaponized proof-of-concept or claim remote code execution; the supported takeaway is that unpatched deployments may expose local files and related sensitive data.
Defensive priority
High for any unpatched Hub Core deployment; prioritize internet-facing WordPress sites and systems where plugin access is broad or administrative controls are weak.
Recommended defensive actions
- Identify all WordPress instances that have Hub Core installed and confirm the exact version.
- Upgrade Hub Core to 6.0.2 or later as soon as possible.
- If the plugin is not required, disable and remove it after validating site functionality.
- Review access and application logs for unusual file-inclusion or path-related requests around the exposure window.
- If sensitive files may have been exposed, rotate credentials and secrets that could be stored on the affected host.
- Validate backups and restoration procedures before and after remediation.
- Apply least-privilege filesystem permissions and keep WordPress, themes, and plugins fully patched.
Evidence notes
Primary support comes from the supplied CVE description: improper control of filename for include/require in PHP leading to PHP local file inclusion, affecting Hub Core before 6.0.2. NVD metadata supplied in the source item adds CVSS v3.1 7.5 High (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), CWE-98, and vulnStatus Deferred. The only supplied reference link is a Patchstack advisory page for the Hub Core plugin and version 5.0.8 local file inclusion vulnerability, which supports the affected-product context but should be treated as a vendor reference rather than a standalone authoritative source for scope beyond the CVE record.
Official resources
-
CVE-2025-68065 CVE record
CVE.org
-
CVE-2025-68065 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
Published 2025-12-16 and last modified 2026-05-20. No KEV listing was provided. NVD marks the record as Deferred in the supplied source metadata.