Login Sign Up

CVE-2025-2558

8.6 HIGH

📋 TL;DR

CVE-2025-2558 is a Local File Inclusion vulnerability in The-wound WordPress theme that allows unauthenticated attackers to read arbitrary files from the server. This affects all WordPress sites using The-wound theme version 0.0.1 or earlier. Attackers can potentially access sensitive files like configuration files, password files, or source code.

💻 Affected Systems

Products:
  • The-wound WordPress Theme
Versions: 0.0.1 and earlier
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with The-wound theme active. The vulnerability exists in theme code, not WordPress core.

📦 What is this software?

The Wound by The Wound Project

View all CVEs affecting The Wound →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive configuration files (like wp-config.php containing database credentials), followed by database access, privilege escalation, and potential remote code execution.

🟠

Likely Case

Unauthenticated attackers download sensitive files including WordPress configuration, server configuration files, or user data, leading to information disclosure and potential credential theft.

🟢

If Mitigated

Limited impact with proper file permissions and web server configurations that restrict access to sensitive directories and files.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

WPScan references indicate public disclosure with technical details. The vulnerability requires no authentication and has simple exploitation vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://wpscan.com/vulnerability/6a8e1c89-a01d-4347-91fc-ba454784b153/

Restart Required: No

Instructions:

1. Remove The-wound theme from WordPress installation
2. Delete theme files from wp-content/themes/the-wound directory
3. Replace with alternative theme
4. Clear WordPress cache if applicable

🔧 Temporary Workarounds

Disable vulnerable theme

all

Deactivate and remove The-wound theme from WordPress

wp theme deactivate the-wound
wp theme delete the-wound

Web server path restriction

linux

Configure web server to block directory traversal attempts

# Apache: Add to .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} \.\. [NC]
RewriteRule .* - [F]
</IfModule>
# Nginx: Add to server block
location ~* \.\. {
    deny all;
    return 403;
}

🧯 If You Can't Patch

  • Immediately deactivate The-wound theme and switch to a different theme
  • Implement web application firewall rules to block LFI patterns and directory traversal attempts

🔍 How to Verify

Check if Vulnerable:

Check if The-wound theme is installed and active in WordPress admin panel under Appearance > Themes

Check Version:

wp theme list --field=name,status,version | grep -i wound

Verify Fix Applied:

Confirm The-wound theme is no longer present in wp-content/themes directory and not listed in active themes

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests with ../ patterns or attempts to access sensitive files like wp-config.php, /etc/passwd, or other system files
  • Multiple failed attempts to access theme files with parameter manipulation

Network Indicators:

  • Unusual GET requests with file path parameters to theme files
  • Requests containing directory traversal sequences (../)

SIEM Query:

web_access_logs | where url contains "../" and url contains "the-wound" | where response_code = 200

📊 Metadata

CVE ID: CVE-2025-2558
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score: 0.46% exploit probability (63.5th percentile)
Published: April 24, 2025
Last Updated: June 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON