CVE-2025-24769: 
WordPress vulnerability analysis and mitigation

CVE-2025-24769 is a Local File Inclusion vulnerability discovered in BZOTheme Zenny WordPress theme affecting versions up to 1.7.5. The vulnerability was reported by Phat RiO from BlueRock on April 25, 2025, and was publicly disclosed on June 23, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (NVD, Patchstack).

The vulnerability is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It has received a CVSS v3.1 base score of 8.1 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely, requires no privileges, and can result in high impacts to confidentiality, integrity, and availability (Patchstack).

The vulnerability allows attackers to include local files of the target website and display their contents. This could potentially lead to exposure of sensitive information, including database credentials, which might result in complete database compromise depending on the server configuration (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website owners are advised to implement the virtual patch immediately or consider alternative security measures (Patchstack).