CVE-2025-69110
Deferred Deferred - Pending Action
Unauthenticated Local File Inclusion in AirSupply

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated Local File Inclusion in AirSupply <= 2.0.0 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2025-69110
EUVD
EUVD-2025-210226
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack air_supply to 2.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-69110 is a Local File Inclusion (LFI) vulnerability found in the WordPress AirSupply Theme versions 2.0.0 and below. This flaw allows an unauthenticated attacker to include local files on the target website.

Exploiting this vulnerability can lead to exposure of sensitive data such as database credentials and may result in a full database takeover.

Impact Analysis

This vulnerability poses a high risk with a CVSS score of 8.1. An attacker exploiting it can gain access to sensitive information and potentially take over the entire database of the affected website.

It is actively targeted in mass-exploit campaigns, which means thousands of websites are at risk regardless of their size or popularity.

Without an official patch currently available, affected sites remain vulnerable unless mitigations are applied.

Mitigation Strategies

The AirSupply WordPress theme versions 2.0.0 and below are vulnerable to a high-priority Local File Inclusion flaw that can be exploited without authentication.

Since there is no official patch available yet, immediate mitigation involves applying the Patchstack mitigation rule to block attacks targeting this vulnerability.

Additional recommended steps include updating the theme when a fix is released or seeking assistance from your hosting provider or a web developer to secure your site.

Compliance Impact

The vulnerability allows unauthenticated attackers to include local files on the target website, potentially exposing sensitive data such as database credentials and enabling full database takeover.

Exposure of sensitive data due to this vulnerability could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, organizations using affected versions of the AirSupply theme may face compliance risks if this vulnerability is exploited, as it compromises confidentiality, integrity, and availability of data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69110. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart