CVE-2025-49070
BaseFortify
Publication date: 2025-07-04
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Local File Inclusion (LFI) issue in the WordPress Elessi Theme versions prior to 6.4.1. It allows an attacker with subscriber-level privileges to include and display local files from the target website. This can expose sensitive information such as database credentials and potentially lead to a complete database takeover. The vulnerability is related to improper control of filenames used in PHP include/require statements and falls under the OWASP Top 10 category A3: Injection. [1]
How can this vulnerability impact me? :
The impact of this vulnerability includes exposure of sensitive information like database credentials, which can lead to a complete database takeover depending on the website's configuration. Attackers can exploit this vulnerability to gain unauthorized access and control, potentially compromising the entire website and its data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress Elessi Theme version is prior to 6.4.1 and monitoring for attempts to exploit Local File Inclusion (LFI). Since attackers may automate exploitation, inspecting web server logs for suspicious requests attempting to include local files is recommended. Specific commands are not provided in the resources, but general approaches include reviewing web server access logs for unusual URL parameters that try to include files, and using server-side malware scanning tools as plugin-based scanners may be unreliable. Professional incident response is advised if compromise is suspected. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the virtual patch (vPatch) provided by Patchstack to block attacks temporarily and then updating the WordPress Elessi Theme to version 6.4.1 or later, which contains the official fix. Users are strongly advised to update immediately to fully resolve the vulnerability. Additionally, monitoring for signs of compromise and performing professional incident response and server-side malware scanning are recommended if an attack is suspected. [1]