CVE-2025-24766: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-24766) was discovered in WP Royal Themes News Magazine X, affecting versions through 1.2.37. The vulnerability was reported on June 2, 2025, and publicly disclosed on July 28, 2025. This security issue allows for PHP Local File Inclusion in the WordPress theme (Patchstack).

The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It received a CVSS v3.1 score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is particularly concerning as it can be exploited without authentication (Patchstack).

This vulnerability is considered highly dangerous and expected to become mass exploited. It could allow malicious actors to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configurations, could be exposed, potentially leading to complete database compromise depending on the server configuration (Patchstack).

The vulnerability has been fixed in version 1.2.38 of the News Magazine X theme. Users are strongly advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).