CVE-2025-52812

Vulnerability

Overview CVE-2025-52812 describes a PHP Local File Inclusion (LFI) vulnerability in the ApusWP Domnoo WordPress theme, affecting versions from n/a through 1.49. The root cause is improper control of filenames used in include/require statements, enabling an attacker to manipulate the path and include arbitrary local files on the server [1].

Exploitation and

Attack Surface The vulnerability can be exploited without authentication, making it accessible to any remote attacker. By crafting a specially request, an adversary can force the theme's PHP scripts to include unintended files from the server's filesystem, bypassing normal access controls [1]. The Patchstack advisory notes that this flaw is highly dangerous and expected to be targeted in mass-exploit campaigns, as it can be used to attack thousands of websites simultaneously regardless of their popularity [1].

Impact

Successful exploitation allows a malicious actor to read sensitive local files, such as wp-config.php which contains database credentials. Depending on server configuration, this could lead to complete database compromise [1]. The CVSS v3 score of 8.1 (High) reflects the low complexity, no privileges required, and high potential impact on confidentiality.

Mitigation

Status Users must update the Domnoo theme to version 1.52.1 or later, which resolves the vulnerability. For those unable to update immediately, Patchstack offers a mitigation rule to block exploitation attempts [1]. Given the expected mass-exploitation, applying the patch urgently is strongly recommended.