WordPress Nexio theme <= 1.10.0 - Local File Inclusion vulnerability

Vulnerability

CVE-2025-69113 is an unauthenticated local file inclusion vulnerability found in the Nexio WordPress theme, affecting all versions up to and including 1.10.0. The flaw exists in the theme's file handling mechanism, which fails to properly validate user-supplied input when including local files. No authentication or special configuration is required to reach the vulnerable code path.

Exploitation

An attacker with network access to the target WordPress site can exploit this vulnerability without any authentication. By crafting a malicious HTTP request containing a path traversal sequence, the attacker can force the theme to include arbitrary local files from the server. The attack does not require any user interaction or existing privileges.

Impact

Successful exploitation allows an attacker to read sensitive local files on the target server, such as /etc/passwd, wp-config.php, or other files containing database credentials, API keys, or other secrets. This information disclosure could lead to complete database takeover or further compromise of the WordPress installation, depending on the exposed data. The vulnerability has a CVSS score of 8.1, indicating high severity [1].

Mitigation

As of the publication date, the vendor has not released a patched version. Immediate action recommended by the advisory is to update the theme to a fixed version when available; if updating is not possible, users should contact their hosting provider or web developer for assistance [1]. The vulnerability is listed as expected to become exploited in mass campaigns, so urgent mitigation is advised [1].