CVE-2025-2558
published 2025-04-24CVE-2025-2558: The-wound WordPress theme through 0.0.1 does not validate some parameters before using them to generate paths passed to include function/s, allowing…
PriorityP263high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
2.13%
79.7th percentile
The-wound WordPress theme through 0.0.1 does not validate some parameters before using them to generate paths passed to include function/s, allowing unauthenticated users to perform LFI attacks and download arbitrary file from the server
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| the_wound_project | the_wound | <= 0.0.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
rule CVE_2025_2558_LFI_TheWound { strings: $wp_config1 = "DB_NAME" $wp_config2 = "DB_PASSWORD" $passwd = /root:.*:0:0:/ condition: ($wp_config1 and $wp_config2) or $passwd }- →Detect unauthenticated GET requests to /wp-content/themes/the-wound/force_download.php with a 'file' parameter containing path traversal sequences (e.g., '../') or absolute paths (e.g., '/etc/passwd'). ↗
- →Alert on HTTP 200 responses from force_download.php whose body contains 'DB_NAME' and 'DB_PASSWORD' (wp-config.php disclosure) or matches 'root:.*:0:0:' (/etc/passwd disclosure). ↗
- →Fingerprint vulnerable installations by fetching /wp-content/themes/the-wound/style.css and checking for a theme version of <= 0.0.1 in the 'Version:' header field. ↗
- →Use Shodan query 'http.component:"WordPress"' to identify candidate hosts, then probe for the vulnerable theme path. ↗
- ·The vulnerability is exploitable only when the 'the-wound' WordPress theme version <= 0.0.1 is installed and active; confirm theme presence via style.css before triggering the LFI probe. ↗
- ·Exploitation requires no authentication (PR:N, UI:N per CVSS), meaning any unauthenticated network request can trigger the LFI. ↗
- ·The nuclei template uses stop-at-first-match across two payloads (wp-config.php and /etc/passwd); detection logic should account for either successful exfiltration path. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress The Wound Theme <= 0.0.1 - Local File Inclusion
nuclei·CVSS 8.6
CVE-2025-2558 [HIGH] WordPress The Wound Theme <= 0.0.1 - Local File Inclusion
WordPress The Wound Theme <= 0.0.1 - Local File Inclusion
The-wound WordPress theme through 0.0.1 contains a local file inclusion caused by insufficient validation of parameters used to generate paths passed to include functions, letting unauthenticated users perform LFI attacks and download arbitrary files from the server.
Template:
id: CVE-2025-2558
info:
name: WordPress The Wound Theme <= 0.0.1 - Local File Inclusion
author: pussycat0x
severity: high
description: |
The-wound WordPress theme through 0.0.1 contains a local file inclusion caused by insufficient validation of parameters used to generate paths passed to include functions, letting unauthenticated users perform LFI attacks and download arbitrary files from the server.
impact: |
Unauthenticated attackers can include arbitra
No writeups or analysis indexed.
2025-04-24
Published