摘要

A critical Local File Inclusion (LFI) vulnerability has been disclosed in the Learnify WordPress theme affecting versions ≤ 1.15.0 (CVE-2025-60085). The flaw allows unauthenticated attackers to include and display local files from the webserver. This vulnerability carries a high severity (CVSS 8.1) and can be exploited widely — exposing files such as 9. 或使用使會話失效的插件。在可行的情況下強制執行雙因素身份驗證。, environment files, and other readable server-side files. Consequences can include credential disclosure, database compromise, and potentially full site takeover depending on the environment.

If your site uses Learnify, treat this as urgent. The guidance below explains the vulnerability, exploitation techniques, detection indicators, immediate mitigations, and incident response steps tailored for site owners and administrators.

什麼是本地文件包含 (LFI)？

Local File Inclusion occurs when user-controlled input determines which server-side file an application includes or reads, without adequate validation. In PHP-based applications this can look like:

• include($_GET['template']);
• require_once($_REQUEST['page']);

If an attacker controls that input, they can force the application to read arbitrary local files. Common impacts:

• Disclosure of secrets (database credentials, API keys).
• Information gathering for follow-on attacks.
• Potential Remote Code Execution (RCE) when chained with other misconfigurations or vulnerable wrappers (e.g., php:// wrappers).

Why this Learnify LFI is dangerous

主要事實：

• Impact: Learnify themes ≤ 1.15.0.
• CVE: CVE-2025-60085.
• 所需權限：無（未經身份驗證）。.
• CVSS：8.1（高）。.
• At disclosure: no guaranteed vendor patch available — site owners must apply mitigations promptly.

This LFI is high-priority because it is unauthenticated, easily scanned at scale, targets files that often contain credentials (like 9. 或使用使會話失效的插件。在可行的情況下強制執行雙因素身份驗證。), and can be chained to escalate into more severe compromises.

Technical details (how attackers typically exploit LFI)

Attackers follow common steps when exploiting LFI. Understanding the pattern helps with detection and mitigation.

1. Finding the entry point
   Look for theme code that includes files using variables influenced by request parameters, e.g.:
   include( $theme_dir . '/' . $_GET['tpl'] );
2. Path traversal
   Payloads include traversal sequences to reach sensitive files:
   ../../../../etc/passwd 或 ../../../../wp-config.php.
3. Using wrappers to read files
   Wrappers like php://filter can force printable output:
   ?tpl=php://filter/convert.base64-encode/resource=../../../../wp-config.php.
4. Null byte and encoding tricks
   Older servers might be targeted with null byte (%00) truncation or encoded payloads:
   ?tpl=../../../../wp-config.php%00.
5. Post-exploitation
   Extracted credentials can be used to access the database, create admin users, install backdoors, or upload PHP shells if writeable areas exist.

The disclosure indicates the Learnify inclusion logic did not sufficiently validate user-supplied paths, enabling the methods above.

Indicators and malicious request patterns to look for

在日誌中搜索這些模式：

• php://filter/convert.base64-encode/resource=
• 來自單一 IP 或小範圍 IP 的重複 ../ 或編碼變體如 ..%2F..%2F
• 空字節嘗試： %00
• Requests to theme PHP files with query parameters like ?tpl= 或 ?page=
• Long base64 strings in normal HTML responses (file contents encoded)

Example suspicious request:

GET /wp-content/themes/learnify/somefile.php?template=php://filter/convert.base64-encode/resource=../../../../wp-config.php HTTP/1.1

If you see this pattern, treat it as high priority and investigate immediately.

Immediate action checklist (first hours)

If your site uses Learnify ≤ 1.15.0, perform these steps now:

1. Place the site into maintenance mode or apply temporary access controls (IP allowlist) to reduce exposure.
2. Switch to a clean theme (WordPress default) or remove the vulnerable theme from public-facing directories. Do not leave the vulnerable theme active.
3. If an official patch is published, apply it immediately. If not, use the mitigations below.
4. Apply server-level rules to block traversal sequences and php:// wrapper attempts (virtual patching at the webserver layer).
5. Do not change database credentials until you have reliable backups and have checked for signs of compromise; when safe, rotate DB passwords and secrets.
6. Rotate secret keys and salts in 9. 或使用使會話失效的插件。在可行的情況下強制執行雙因素身份驗證。 after you have remediated and verified integrity.
7. Scan for webshells, suspicious files, and modified timestamps.
8. Restore from a verified clean backup if you detect a compromise.
9. Increase monitoring: enable file integrity checks, audit logs and alerting.

If you lack in-house capability, contact your hosting provider or a trusted security consultant and share the indicators above.

How to detect whether your site has been exploited

Even after you remove the vulnerable theme or apply fixes, check for traces of compromise:

• 新增或修改的檔案位於 wp-content/uploads, wp-content/themes, wp-content/plugins, or unexpected locations.
• New admin users in WordPress (inspect the wp_users 表格）。.
• Suspicious scheduled tasks or cron entries stored in the database.
• Outbound connections to unknown IPs from the server (check firewall/host logs).
• Unusual CPU/IO usage or traffic spikes.
• Database queries from unfamiliar accounts or unexpected queries in slow logs.
• Unknown PHP files or encoded scripts using 評估, base64_解碼, ，或 gzinflate.

Recommended actions: file integrity tools, malware scans, and manual inspection of critical files (9. 或使用使會話失效的插件。在可行的情況下強制執行雙因素身份驗證。, .htaccess, theme and plugin entry points).

事件響應：逐步操作手冊

1. 隔離
   • Take the site offline or block traffic to prevent further damage.
   • Revoke compromised credentials and API keys.
   • Isolate the server from the network if feasible.
2. 如果可能，將網站下線（維護模式）。
   • Backup logs (webserver, database, application) and, if needed, disk images.
   • Preserve timestamps for forensic analysis; do not overwrite logs.
3. 根除
   • Remove backdoors, shells and malicious scripts.
   • Reinstall WordPress core, plugins and themes from verified clean sources.
   • Rebuild servers from clean images if server-level persistence is suspected.
4. 恢復
   • Restore from a clean backup (from before the compromise).
   • Apply security patches and hardening measures.
   • Change all passwords and rotate keys and salts.
5. 恢復後
   • Strengthen monitoring and logging.
   • Conduct a post-mortem to identify failed controls and closing the gaps.
   • Update incident response plans and educate the team.
6. 通知
   • Notify stakeholders and your hosting provider. Follow local regulatory or contractual notification requirements where applicable.

Hardening recommendations to reduce LFI risk

1. 最小權限原則
   Ensure minimal file and directory permissions. Most WordPress files should be readable by the webserver but not writable. Only wp-content/uploads should be writable for uploads.
2. PHP 配置
   禁用 allow_url_include, restrict via open_basedir, and disable unnecessary functions like 執行, shell_exec, if not required by your environment.
3. Disable built-in editor
   添加到 9. 或使用使會話失效的插件。在可行的情況下強制執行雙因素身份驗證。:

   define('DISALLOW_FILE_EDIT', true);

4. Secure uploads
   Prevent execution of PHP files in wp-content/uploads with server rules (examples below).
5. 旋轉鹽值和金鑰
   Use strong, unique salts and rotate them after remediation to invalidate existing sessions.
6. Backups and testing
   Maintain regular, offsite backups and test restores periodically.
7. Code review and staged upgrades
   Review third-party themes/plugins before deployment or restrict their use until verified.

實用的 WAF 規則和服務器級緩解措施

Webserver-level blocks (virtual patching) can buy time when an official patch is unavailable. Test rules on a staging system before applying in production.

Important patterns to detect and block:

• Any parameter value containing php://filter
• Parameters with multiple ../ sequences
• Null byte attempts (%00)
• 嘗試包含的請求 9. 或使用使會話失效的插件。在可行的情況下強制執行雙因素身份驗證。, .env, /etc/passwd

Example ModSecurity/CRS-style rule:

# Block common LFI attack signatures
SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_HEADERS "@rx (?i)((\.\./)|(\.\.\\)|php://filter|php%3A%2F%2Ffilter|%00|/etc/passwd|wp-config.php)" \
    "id:1009001,phase:1,deny,status:403,log,msg:'Potential LFI attempt blocked',severity:2,tag:'LFI',tag:'OWASP_TOP_10_A03'"

Nginx rule example:

if ($request_uri ~* "(php://filter|%00|\.\./){1,}") {
    return 403;
}

Apache .htaccess snippet to block PHP execution in uploads:

# Protect uploads - prevent PHP execution

    Order Allow,Deny
    Deny from all

Apply such rules carefully — overly broad rules can break legitimate functionality. Prioritise staging/testing and incremental deployment.

Sample detection regex and log analysis tips

Use these patterns for automated log scanning (case-insensitive):

(?i)(php%3A%2F%2Ffilter|php://filter|(\.\./){2,}|(\.\.\\){2,}|%00|wp-config\.php|/etc/passwd)

Alert on log entries such as:

• GET /wp-content/themes/learnify/… ?…=php://filter/convert.base64-encode/resource=../../../../wp-config.php
• Any request using php:// wrappers
• Responses returning base64-encoded content in normal HTML pages

Run daily scans of logs for these signatures and notify administrators when matches occur.

Safe test to check for vulnerability (site owners only)

Only perform these checks on sites you own or operate. Do not test third-party sites.

1. Use a non-destructive php://filter request targeting a known, harmless file (for instance a theme readme).
2. Example request:

GET /wp-content/themes/learnify/index.php?tpl=php://filter/convert.base64-encode/resource=inc/readme.html

If the response includes a base64 string that decodes to the file content, the inclusion function is vulnerable. Stop testing and proceed to mitigation immediately.

Remediation decision tree

Choose the appropriate path depending on availability of an official patch:

• If a patched version exists: update immediately, then verify integrity (file scans, password rotations).
• If no patch exists: remove the theme from active use, apply server-level rules to block exploitation, and consider replacing the theme with a maintained alternative.
• If the theme cannot be removed: enforce strict access controls (IP whitelist), apply tight server rules, and increase monitoring and frequent integrity checks.

After remediation: validate and monitor

After applying fixes:

1. Re-run automated vulnerability and malware scanners.
2. Verify no unexpected admin accounts or scheduled tasks exist.
3. Check for unexpected outbound network activity.
4. Ensure backups are clean and recent.
5. Maintain heightened monitoring for at least 30 days post-remediation.

常見問題（FAQ）

Q: Can LFI lead to Remote Code Execution?

A: LFI is primarily a file read/inclusion vulnerability. RCE is possible if an attacker can include a file they control (e.g., an uploaded PHP file) or chain the LFI with other insecure configurations (writable directories, dangerous wrappers).

Q: I use a child theme of Learnify — am I affected?

A: Possibly. Child themes inherit parent code. If the vulnerable logic exists in the Learnify parent theme and that parent is ≤ 1.15.0, you are likely impacted. Check the parent theme version and act accordingly.

Q: I patched the theme — do I still need to rotate credentials?

A: Yes. Patching prevents new exploitation but does not remove any previous compromise. Rotate DB passwords, API keys, and salts if there was any exposure.

Q: How can I be notified of similar vulnerabilities?

A: Subscribe to reputable security advisories and mailing lists, enable automated vulnerability alerts for installed themes/plugins, and keep logging and monitoring active.

從香港安全的角度看最後的想法

This Learnify LFI disclosure highlights a recurring reality: third-party themes and plugins can introduce critical weaknesses. In Hong Kong’s fast-moving digital environment, the priorities are speed and thoroughness — act quickly to contain exposure, and investigate fully to determine whether credentials or systems were accessed.

Practical priorities: quickly remove or isolate vulnerable components, apply server-level mitigations, verify integrity, rotate secrets, and sustain monitoring. If you manage multiple sites, treat this disclosure as a prompt to inventory theme versions and enforce an upgrade or replacement plan.

For organisations without in-house security capability, engage a qualified security consultant or your hosting support team to assist with containment, forensics and remediation.

Appendix A: Quick checklist (copy/paste)

• [ ] Identify if Learnify ≤ 1.15.0 is installed.
• [ ] Switch to a different theme or deactivate Learnify.
• [ ] Apply server rules to block php://filter and path traversal attempts.
• [ ] Scan for webshells and unauthorized file modifications.
• [ ] Rotate DB credentials and WordPress salts.
• [ ] Restore from clean backup if compromise is detected.
• [ ] Implement file permission hardening.
• [ ] Enable file integrity monitoring and alerting.
• [ ] Monitor logs for 30 days after remediation.

Appendix B: Additional resources and references

• CVE-2025-60085 advisory
• PHP hardening best practices (open_basedir, disable dangerous functions)
• WordPress security handbook and administration guides
• WAF tuning and rule testing guides (test on staging before production)

重要： The actions above are operationally sensitive. If you suspect compromise and lack the skills to follow the incident playbook, seek assistance from a trusted, professional security responder or your hosting provider.