A critical vulnerability has been identified in the Elated-Themes Neo Ocular theme for WordPress. This flaw, designated CVE-2025-67920 with a CVSS score of 9.8, allows an unauthenticated attacker to include and execute files on the server, potentially leading to a complete system compromise. Successful exploitation could result in data theft, website defacement, or the server being used for further malicious activities.

The vulnerability is a Local File Inclusion (LFI) flaw within the Neo Ocular theme. The application fails to properly sanitize user-supplied input that is used to construct a file path for an include or require statement in its PHP code. An unauthenticated, remote attacker can manipulate this input with directory traversal sequences (../) to force the application to include and execute arbitrary PHP files present on the server's filesystem. This could allow an attacker to execute a previously uploaded web shell or leverage other files to gain control of the web server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation can lead to a complete compromise of the web server, posing a significant risk to the business. Potential consequences include the execution of arbitrary code with the privileges of the web server process, theft of sensitive data such as customer information or database credentials, website defacement, and service disruption. The compromised server could also be used as a pivot point to launch further attacks against the internal network, causing extensive damage to the organization's security posture and reputation.

Immediate Action: Update the Elated-Themes Neo Ocular theme to version 1.2 or the latest available version, which addresses this vulnerability. After patching, monitor for any signs of post-exploitation activity and review web server access logs for any exploitation attempts that may have occurred prior to the update.

Proactive Monitoring:

• Log Analysis: Scrutinize web server access logs for requests containing directory traversal patterns (e.g., ../, ..%2F) or attempts to include common system files (e.g., /etc/passwd, wp-config.php).
• File Integrity Monitoring (FIM): Implement FIM to detect unauthorized changes to website files or the creation of new files (e.g., web shells) in web-accessible directories.
• Network Traffic: Monitor for unusual outbound connections from the web server, which could indicate a successful compromise and communication with a command-and-control server.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce risk:

• Web Application Firewall (WAF): Deploy a WAF with a robust ruleset designed to detect and block LFI and directory traversal attack patterns.
• PHP Hardening: In the php.ini configuration, disable allow_url_include and configure the open_basedir directive to restrict file access to only the necessary directories for the web application.
• Principle of Least Privilege: Ensure the web server process runs under a low-privileged user account to limit the impact of a potential code execution event.

Public Exploit Available: true

This vulnerability represents a critical risk to the organization and requires immediate action. The primary recommendation is to update the affected Elated-Themes Neo Ocular theme to version 1.2 or later on all applicable systems without delay. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its critical severity and the ease of exploitation mean it should be treated with the highest priority. If patching is delayed, the compensating controls outlined above must be implemented as a temporary measure to mitigate the immediate threat.