WordPress Eros theme <= 1.3 - Local File Inclusion vulnerability

Vulnerability

CVE-2025-69167 is an unauthenticated Local File Inclusion (LFI) vulnerability in the Eros WordPress theme, affecting all versions up to and including 1.3. The vulnerability exists in the theme's file handling mechanism, allowing an attacker to include arbitrary local files from the server without requiring authentication. The theme is no longer maintained, with its last official release (version 1.0.0) dating back to December 2018 [1][2].

Exploitation

An unauthenticated attacker can trigger the LFI by sending a crafted HTTP request to the affected WordPress site. No special network position or prior authentication is required. The attacker merely needs to know or guess the path to a sensitive file on the server. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of size [1].

Impact

Successful exploitation allows the attacker to read arbitrary local files from the target web server. This can expose sensitive information such as database credentials stored in wp-config.php, leading to complete compromise of the WordPress database and potentially the entire server, depending on configuration [1]. Confidentiality is directly impacted, and further privilege escalation may be possible.

Mitigation

No official patch has been released for the Eros theme, as the project appears abandoned (last updated in 2018) [2]. The only effective mitigation is to immediately uninstall the theme and replace it with an actively maintained alternative. Users who cannot remove it should restrict file access at the web server level, but this is not a complete solution [1]. The vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.