CVE-2025-39470
Published: 18 April 2025
Summary
CVE-2025-39470 is a high-severity Path Traversal: '.../...//' (CWE-35) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 25.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a path traversal issue (CWE-35) using sequences such as '.../...//' that enables PHP local file inclusion in the ThimPress Ivy School WordPress theme. It affects all versions from n/a through 1.6.0 and carries a CVSS 3.1 score of 8.1.
An unauthenticated remote attacker can supply crafted path sequences over the network to include and potentially execute arbitrary local PHP files. Successful exploitation can result in disclosure or modification of sensitive data and full compromise of the confidentiality, integrity, and availability of the affected site.
The issue is tracked in the Patchstack vulnerability database, which identifies the affected theme versions and links to the corresponding entry for Ivy School 1.6.0. The associated EPSS score remains low, with a current value of 0.0080 and a peak of only 0.0104.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-11834
Vulnerability details
Path Traversal: '.../...//' vulnerability in ThimPress Ivy School ivy-school allows PHP Local File Inclusion.This issue affects Ivy School: from n/a through <= 1.6.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.