CVE-2025-39463
Published: 06 November 2025
Summary
CVE-2025-39463 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-39463 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion (CWE-98), affecting the Dessau WordPress theme developed by Select-Themes. The flaw enables PHP Local File Inclusion and impacts all versions of the Dessau theme prior to 1.9. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high potential impact on confidentiality, integrity, and availability.
The vulnerability can be exploited over the network by low-privileged authenticated users, such as WordPress contributors or subscribers, though it requires high attack complexity and no user interaction. Successful exploitation allows attackers to perform local file inclusion, potentially leading to unauthorized access to sensitive files, code execution, or system compromise depending on the included files and server configuration.
Patchstack advisories recommend updating the Dessau theme to version 1.9 or later, where the vulnerability has been addressed. Security practitioners should scan WordPress installations for vulnerable theme versions and apply the patch immediately, prioritizing sites with low-privilege user accounts.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-38030
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Dessau dessau allows PHP Local File Inclusion.This issue affects Dessau: from n/a through < 1.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a critical remotely exploitable LFI/RFI in a public-facing WordPress theme, directly enabling exploitation of public-facing applications for potential code execution, data exposure, and system compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-39463 by requiring timely patching of the vulnerable Dessau WordPress theme to version 1.9 or later.
Prevents exploitation of the PHP Local File Inclusion vulnerability by validating and sanitizing untrusted filenames used in include/require statements.
Enables identification of installations running vulnerable Dessau theme versions prior to 1.9 through vulnerability scanning of WordPress components.