Cyber Resilience

CVE-2025-2558

HighPublic PoC

Published: 24 April 2025

Published
24 April 2025
Modified
23 June 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.1034 93.4th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2558 is a high-severity an unspecified weakness vulnerability in The Wound Project The Wound. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The-wound WordPress theme through version 0.0.1 contains a local file inclusion vulnerability stemming from missing validation of certain parameters that are used to construct paths passed to PHP include functions. This flaw affects the theme when deployed on WordPress sites and carries a CVSS 3.1 score of 8.6.

Unauthenticated attackers with network access can supply crafted parameters to read and download arbitrary files from the underlying server, resulting in high confidentiality impact with changed scope but no direct integrity or availability consequences.

The EPSS score for this CVE reached a peak of 0.1945 after disclosure, indicating a measurable increase in exploitation interest that later moderated to the current value of 0.1034. Public references are available at the listed WPScan URLs.

EU & UK References

Vulnerability details

The-wound WordPress theme through 0.0.1 does not validate some parameters before using them to generate paths passed to include function/s, allowing unauthenticated users to perform LFI attacks and download arbitrary file from the server

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

the wound project
the wound
≤ 0.0.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References