CVE-2023-25998: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2023-25998) was discovered in the Samex - Clean, Minimal Shop WooCommerce WordPress Theme versions 2.6 and below. The vulnerability was reported by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity on April 30, 2025, and was publicly disclosed on June 25, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (Patchstack).

The vulnerability has been assigned a CVSS v3.1 score of 8.1 (High), with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. It is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and falls under the OWASP Top 10 category A3: Injection. The vulnerability can be exploited without authentication, making it particularly dangerous (Patchstack).

The vulnerability allows malicious actors to include local files of the target website and display their contents. This could potentially lead to exposure of sensitive information, including database credentials, which might result in complete database takeover depending on the configuration (Patchstack).

As of the disclosure, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website owners are advised to implement the virtual patch immediately or consider alternative themes until a fix is released (Patchstack).