CVE-2025-49258
BaseFortify
Publication date: 2025-06-17
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Local File Inclusion (LFI) flaw in the WordPress Maia Theme versions up to 1.1.15. It allows unauthenticated attackers to include and display local files from the target website by improperly controlling the filename used in PHP include/require statements. This can expose sensitive information such as database credentials and potentially lead to a complete database takeover depending on the website's configuration. [1]
How can this vulnerability impact me? :
Exploiting this vulnerability can allow attackers to access and display sensitive local files on your website, including database credentials. This can lead to a complete takeover of your database and compromise the security and integrity of your website. Since the vulnerability requires no authentication, it is highly dangerous and likely to be widely exploited, posing a significant risk to your website's confidentiality, integrity, and availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The provided resources do not include specific commands or detailed detection methods for identifying this vulnerability on your network or system. However, since the vulnerability involves Local File Inclusion (LFI) in the Maia WordPress theme versions up to 1.1.15, detection typically involves monitoring for unusual HTTP requests attempting to include local files or scanning web server logs for suspicious include/require patterns. For precise detection commands or tools, additional sources would be needed.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Maia WordPress theme to version 1.1.16 or later, which contains the fix for this vulnerability. Until the update can be applied, users can deploy Patchstack's virtual patch (vPatch) to block attacks targeting this vulnerability. Additionally, if a system compromise is suspected, professional incident response and server-side malware scanning are recommended rather than relying solely on plugin-based malware scanners. [1]