CVE-2025-2558 | THREATINT

Description

The-wound WordPress theme through 0.0.1 does not validate some parameters before using them to generate paths passed to include function/s, allowing unauthenticated users to perform LFI attacks and download arbitrary file from the server

PUBLISHED Reserved 2025-03-20 | Published 2025-04-24 | Updated 2025-04-24 | Assigner WPScan

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status

affected

Any version

affected

Credits

Aly Khaled finder

WPScan coordinator

References

wpscan.com/...rability/6a8e1c89-a01d-4347-91fc-ba454784b153/ exploit

wpscan.com/...rability/6a8e1c89-a01d-4347-91fc-ba454784b153/ exploit vdb-entry technical-description

cve.org (CVE-2025-2558)

nvd.nist.gov (CVE-2025-2558)

Download JSON