CVE-2025-39463
Published: 06 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-39463 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion (CWE-98), affecting the Dessau WordPress theme developed by Select-Themes. The flaw enables PHP Local File Inclusion and impacts all versions of the Dessau theme prior to 1.9. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high potential impact on confidentiality, integrity, and availability.
The vulnerability can be exploited over the network by low-privileged authenticated users, such as WordPress contributors or subscribers, though it requires high attack complexity and no user interaction. Successful exploitation allows attackers to perform local file inclusion, potentially leading to unauthorized access to sensitive files, code execution, or system compromise depending on the included files and server configuration.
Patchstack advisories recommend updating the Dessau theme to version 1.9 or later, where the vulnerability has been addressed. Security practitioners should scan WordPress installations for vulnerable theme versions and apply the patch immediately, prioritizing sites with low-privilege user accounts.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a critical remotely exploitable LFI/RFI in a public-facing WordPress theme, directly enabling exploitation of public-facing applications for potential code execution, data exposure, and system compromise.