cbcvebase.
CVE-2025-2558
published 2025-04-24

CVE-2025-2558: The-wound WordPress theme through 0.0.1 does not validate some parameters before using them to generate paths passed to include function/s, allowing…

PriorityP263high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
2.13%
79.7th percentile
The-wound WordPress theme through 0.0.1 does not validate some parameters before using them to generate paths passed to include function/s, allowing unauthenticated users to perform LFI attacks and download arbitrary file from the server

Affected

1 ranges
VendorProductVersion rangeFixed in
the_wound_projectthe_wound<= 0.0.1

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/themes/the-wound/force_download.php
url/wp-content/themes/the-wound/force_download.php?file=../../../wp-config.php
url/wp-content/themes/the-wound/force_download.php?file=/etc/passwd
filenameforce_download.php
yara
rule CVE_2025_2558_LFI_TheWound { strings: $wp_config1 = "DB_NAME" $wp_config2 = "DB_PASSWORD" $passwd = /root:.*:0:0:/ condition: ($wp_config1 and $wp_config2) or $passwd }
  • Detect unauthenticated GET requests to /wp-content/themes/the-wound/force_download.php with a 'file' parameter containing path traversal sequences (e.g., '../') or absolute paths (e.g., '/etc/passwd').
  • Alert on HTTP 200 responses from force_download.php whose body contains 'DB_NAME' and 'DB_PASSWORD' (wp-config.php disclosure) or matches 'root:.*:0:0:' (/etc/passwd disclosure).
  • Fingerprint vulnerable installations by fetching /wp-content/themes/the-wound/style.css and checking for a theme version of <= 0.0.1 in the 'Version:' header field.
  • Use Shodan query 'http.component:"WordPress"' to identify candidate hosts, then probe for the vulnerable theme path.
  • ·The vulnerability is exploitable only when the 'the-wound' WordPress theme version <= 0.0.1 is installed and active; confirm theme presence via style.css before triggering the LFI probe.
  • ·Exploitation requires no authentication (PR:N, UI:N per CVSS), meaning any unauthenticated network request can trigger the LFI.
  • ·The nuclei template uses stop-at-first-match across two payloads (wp-config.php and /etc/passwd); detection logic should account for either successful exfiltration path.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.