PHP Local File Inclusion in Cookiteer Theme Plugin

CVE-2025-68886 is a PHP Local File Inclusion (LFI) vulnerability affecting androThemes Cookiteer plugin versions through 1.4.8. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), allowing attackers to manipulate file path parameters and read arbitrary files from the server. This is particularly dangerous for WordPress sites using Cookiteer, as attackers can access sensitive configuration files (wp-config.php), database credentials, and other protected system files without authentication. The vulnerability affects all users of Cookiteer from inception through version 1.4.8, making it a widespread risk in the WordPress ecosystem.

While this CVE currently maps to zero Casky skills, practitioners defending against LFI attacks should focus on detection patterns related to Reconnaissance and Execution phases. Casky's Claude-powered analysis would identify suspicious file access patterns—such as unusual include/require parameters, path traversal sequences (../ patterns), or attempts to load files outside expected directories. Security teams would see findings flagged for suspicious parameter manipulation in WordPress plugin traffic, including encoded payloads attempting to access /etc/passwd, configuration files, or log files. Detection would center on monitoring POST/GET parameters passed to vulnerable Cookiteer functions for directory traversal indicators and implementing file inclusion whitelisting—techniques aligned with defense-in-depth approaches practitioners can implement while waiting for official patches to version 1.4.9 or later.