CVE-2025-2558
Published: 24 April 2025
Summary
CVE-2025-2558 is a high-severity an unspecified weakness vulnerability in The Wound Project The Wound. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The-wound WordPress theme through version 0.0.1 contains a local file inclusion vulnerability stemming from missing validation of certain parameters that are used to construct paths passed to PHP include functions. This flaw affects the theme when deployed on WordPress sites and carries a CVSS 3.1 score of 8.6.
Unauthenticated attackers with network access can supply crafted parameters to read and download arbitrary files from the underlying server, resulting in high confidentiality impact with changed scope but no direct integrity or availability consequences.
The EPSS score for this CVE reached a peak of 0.1945 after disclosure, indicating a measurable increase in exploitation interest that later moderated to the current value of 0.1034. Public references are available at the listed WPScan URLs.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12113
Vulnerability details
The-wound WordPress theme through 0.0.1 does not validate some parameters before using them to generate paths passed to include function/s, allowing unauthenticated users to perform LFI attacks and download arbitrary file from the server
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.