CVE-2025-52807

Vulnerability

Overview The Kossy - Minimalist eCommerce WordPress Theme contains a PHP Local File Inclusion (LFI) vulnerability in versions up to and including 1.45. The issue stems from improper control of filenames used in include or require statements, enabling an attacker to manipulate file paths to include arbitrary local files from the server.

## Exploitation & Attack Surface Attackers can exploit this vulnerability without authentication by crafting a malicious request that includes path traversal sequences. The attack does not require any special privileges or network position beyond sending HTTP requests to the target WordPress site. Given the widespread use of WordPress themes, this vulnerability can be exploited in mass campaigns, affecting thousands of sites regardless of their popularity [1].

Impact

Successful exploitation allows an attacker to read sensitive files on the server, such as database configuration files containing credentials. This could lead to complete database compromise and further escalation, depending on server configuration. The CVSS v3 score is 8.1 (High), reflecting the severe risk of information disclosure [1].

Mitigation

Users are strongly advised to update the Kossy theme to a patched version if available. If updating is not possible, temporary workarounds including web application firewall rules or disabling the vulnerable functionality should be considered. Hosting providers may assist with mitigation steps [1].