CVE-2025-26748 HIGH

CVE-2025-26748: WordPress Arkhe theme <= 3.12.0 - CSRF to Local File Inclusion vulnerability

Vendor Looswebstudio
Product Arkhe
Weakness CWE-352 · CSRF
Published April 15, 2025
Last update April 28, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in looswebstudio Arkhe arkhe allows PHP Local File Inclusion.This issue affects Arkhe: from n/a through <= 3.12.0.

Explanation of Vulnerability in Simple Terms

02Summary

Arkhe versions up to 3.12.0 contain a cross-site request forgery (CSRF) vulnerability that allows an attacker to perform unauthorized actions on behalf of an authenticated user without their knowledge. The vulnerability requires specific conditions to exploit but can result in data modification, unauthorized access, or service disruption. Site administrators should update to a version newer than 3.12.0 when available.

What an attacker can do

03Attacker Capabilities

Perform unauthorized actions on the site by tricking a logged-in user into visiting a malicious page.

Potential impact on your site

04Site Impact

Attackers can modify site data, change settings, or perform actions as any authenticated user without their consent.

Conditions required to exploit

05Prerequisites

A logged-in user must visit an attacker-controlled page while authenticated to the vulnerable Arkhe installation.

Key dates

06Disclosure timeline

April 15, 2025 CVE published
April 28, 2026 Record updated