CVE-2025-69141
Deferred Deferred - Pending Action

Unauthenticated Local File Inclusion in Kelly Young <= 1.1.0

Vulnerability report for CVE-2025-69141, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description

Unauthenticated Local File Inclusion in Kelly Young <= 1.1.0 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-07-08
AI Q&A
2026-06-17
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows attackers to include local files from the target website, potentially exposing sensitive data such as database credentials. Exposure of such sensitive information could lead to a complete database takeover depending on the site's configuration.

The exposure and potential compromise of sensitive data can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access.

Therefore, if exploited, this vulnerability could result in violations of data protection requirements mandated by these regulations.

Detection Guidance

The vulnerability is a Local File Inclusion (LFI) issue in the WordPress Kelly Young Theme version 1.1.0 or lower. Detection typically involves monitoring for suspicious requests attempting to include local files via the theme.

Since there is no official patch yet, Patchstack has issued a mitigation rule to block attacks, which can be used as a detection mechanism.

Common detection methods include analyzing web server logs for requests containing typical LFI attack patterns such as directory traversal sequences (e.g., "../") or attempts to access sensitive files like "/etc/passwd" or configuration files.

Example commands to detect potential exploitation attempts in Apache or Nginx logs might include:

  • grep -iE "(\.{2}/|etc/passwd|wp-config.php)" /var/log/apache2/access.log
  • grep -iE "(\.{2}/|etc/passwd|wp-config.php)" /var/log/nginx/access.log

Additionally, web application firewalls (WAFs) or intrusion detection systems (IDS) can be configured to detect and block such LFI attack patterns.

Executive Summary

The WordPress Kelly Young Theme, version 1.1.0 or lower, contains a Local File Inclusion (LFI) vulnerability. This flaw allows an unauthenticated attacker to include local files from the target website. Exploiting this vulnerability can expose sensitive data such as database credentials.

Impact Analysis

This vulnerability has a high severity with a CVSS score of 8.1, indicating significant danger. An attacker exploiting this flaw could gain access to sensitive information, potentially leading to a complete database takeover depending on the site's configuration. This could result in data breaches, loss of data integrity, and service availability issues.

Mitigation Strategies

Immediate action is advised to mitigate the Local File Inclusion vulnerability in the Kelly Young WordPress theme version 1.1.0 or lower.

  • Update the theme to a version higher than 1.1.0 if available.
  • If no official patch is available, apply the mitigation rule issued by Patchstack to block attacks until a fix is released.
  • Seek assistance from your hosting provider or a web developer to implement protective measures.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69141. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart