CVE-2025-58214
BaseFortify
Publication date: 2025-09-05
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | indutri_theme | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Local File Inclusion (LFI) flaw in the WordPress Indutri Theme versions prior to 1.3.0. It allows unauthenticated attackers to include and display local files from the target website. This can expose sensitive information such as database credentials and potentially lead to a complete database takeover depending on the website's configuration. The vulnerability is due to improper control of filenames used in include/require statements in PHP, making it possible to inject and execute unintended files. [1]
How can this vulnerability impact me? :
Exploiting this vulnerability can lead to exposure of sensitive information like database credentials, which may result in a complete database takeover. Since the vulnerability requires no authentication, attackers can easily exploit it, potentially compromising the entire website and its data. This poses a high risk to the confidentiality, integrity, and availability of the affected system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for attempts to exploit Local File Inclusion (LFI) in the Indutri WordPress theme prior to version 1.3.0. Network or system administrators can look for unusual HTTP requests containing suspicious parameters that attempt to include local files. While specific commands are not provided, general approaches include analyzing web server logs for requests with patterns like 'include=' or 'require=' parameters referencing local files. Additionally, professional incident response and server-side malware scanning are recommended to detect compromise, as plugin-based scanners may be unreliable due to potential tampering. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Indutri WordPress theme to version 1.3.0 or later, which contains the official fix for this vulnerability. Until the update can be applied, users should deploy the Patchstack virtual patch (vPatch) that automatically blocks attacks targeting this vulnerability. It is also advised to perform professional incident response and server-side malware scanning if compromise is suspected. [1]