CVE-2025-2519: 
WordPress vulnerability analysis and mitigation

The Sreamit theme for WordPress contains an arbitrary file download vulnerability (CVE-2025-2519) discovered in April 2025. This security flaw affects all versions up to and including 4.0.1. The vulnerability stems from insufficient file validation in the 'stsenddownload_file' function, which allows authenticated attackers with subscriber-level access or higher to download arbitrary files (NVD).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal). It has received a CVSS v3.1 base score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, no user interaction, and can result in high confidentiality impact without affecting integrity or availability (Wordfence).

The vulnerability allows authenticated attackers with subscriber-level privileges or higher to download arbitrary files from the affected WordPress installation. This could potentially lead to unauthorized access to sensitive information stored on the server (NVD).

The vulnerability was addressed in version 4.0.3 released on April 7, 2025, with security improvements. Users are advised to update to this version or later to protect against this vulnerability (Theme Changelog).