Cyber Resilience

CVE-2025-39470

High

Published: 18 April 2025

Published
18 April 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0080 74.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-39470 is a high-severity Path Traversal: '.../...//' (CWE-35) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 25.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is a path traversal issue (CWE-35) using sequences such as '.../...//' that enables PHP local file inclusion in the ThimPress Ivy School WordPress theme. It affects all versions from n/a through 1.6.0 and carries a CVSS 3.1 score of 8.1.

An unauthenticated remote attacker can supply crafted path sequences over the network to include and potentially execute arbitrary local PHP files. Successful exploitation can result in disclosure or modification of sensitive data and full compromise of the confidentiality, integrity, and availability of the affected site.

The issue is tracked in the Patchstack vulnerability database, which identifies the affected theme versions and links to the corresponding entry for Ivy School 1.6.0. The associated EPSS score remains low, with a current value of 0.0080 and a peak of only 0.0104.

EU & UK References

Vulnerability details

Path Traversal: '.../...//' vulnerability in ThimPress Ivy School ivy-school allows PHP Local File Inclusion.This issue affects Ivy School: from n/a through <= 1.6.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References