CVE-2025-48149

Vulnerability

Overview

The Cook&Meal WordPress theme, versions up to and including 1.2.3, contains a PHP Local File Inclusion (LFI) vulnerability. The issue stems from improper control of filenames used in include/require statements, allowing an attacker to manipulate file paths and include arbitrary local files from the server [1].

Exploitation

Details

An attacker can exploit this vulnerability without authentication, as the vulnerable code does not properly sanitize user-supplied input used in file inclusion operations. By crafting a malicious request, the attacker can traverse directories and include sensitive files such as wp-config.php, which contains database credentials [1]. The attack requires only network access to the target website.

Impact

Successful exploitation allows an attacker to read the contents of arbitrary files on the server. This can lead to exposure of database credentials, configuration files, and other sensitive data. In many configurations, this could enable complete database takeover or further compromise of the WordPress installation [1].

Mitigation

The vendor has released version 1.2.4 which fixes the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the update is applied [1].