CVE-2025-49296
BaseFortify
Publication date: 2025-06-09
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qodeinteractive | grandprix | to 1.6.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-35 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Local File Inclusion (LFI) issue in the Mikado-Themes GrandPrix WordPress theme versions up to 1.6. It allows an unauthenticated attacker to include and display local files from the target website. This means the attacker can access sensitive files on the server, such as database credentials, by exploiting the theme's improper handling of file paths. [1]
How can this vulnerability impact me? :
The vulnerability can lead to severe impacts including exposure of sensitive information like database credentials and potentially a complete database takeover. Since no privileged access is required to exploit it, attackers can widely exploit this vulnerability to compromise the website, leading to data breaches, loss of data integrity, and availability issues. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your WordPress site is running the GrandPrix Theme version 1.6 or earlier. Since it allows Local File Inclusion (LFI) via unauthenticated requests, you can attempt to detect exploitation attempts by monitoring web server logs for suspicious requests that include file path traversal patterns (e.g., requests containing '../' sequences targeting theme files). Specific commands to search logs might include: - For Linux systems using grep on Apache logs: grep -E "(\.{2}/)+" /var/log/apache2/access.log - For Nginx logs: grep -E "(\.{2}/)+" /var/log/nginx/access.log Additionally, scanning the site files to verify the theme version can be done by checking the style.css or theme metadata files for version info. However, no specific detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the GrandPrix Theme to version 1.6.1 or later, which contains the official fix for this vulnerability. 2. If immediate updating is not possible, apply the Patchstack virtual patch (vPatch) which blocks attacks targeting this vulnerability until the official patch can be applied. 3. Monitor your website for signs of compromise and consider professional incident response if you suspect exploitation. 4. Avoid relying solely on plugin-based malware scanners as attackers may tamper with them. Prompt updating is strongly recommended to fully resolve the issue. [1]