CVE-2025-31014: 
WordPress vulnerability analysis and mitigation

The ho3einie Material Dashboard WordPress plugin contains a Local File Inclusion vulnerability (CVE-2025-31014) that affects versions up to 1.4.5. This vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program, also known as PHP Remote File Inclusion (NVD, Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is tracked as CWE-98, which relates to improper control of filename for include/require statements in PHP programs (Patchstack).

This Local File Inclusion vulnerability could allow an attacker to include local files of the target website and display their output on the screen. Files containing sensitive information, such as database credentials, could potentially be exposed, which might lead to complete database takeover depending on the configuration (Patchstack).

Users are advised to update to version 1.4.6 or later to resolve this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).