CVE-2025-31097: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-31097) was discovered in ho3einie Material Dashboard affecting versions through 1.4.5. The vulnerability was reported by security researcher LVT-tholv2k on March 22, 2025, and was publicly disclosed on April 1, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High), with the following vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). This unauthenticated vulnerability allows attackers to include and access local files on the target website (Patchstack).

The vulnerability could potentially allow malicious actors to access and view the contents of local files on the affected website, including sensitive files containing credentials. In cases where database credentials are exposed, this could lead to a complete database compromise, depending on the system configuration (Patchstack).

Users are strongly advised to update to Material Dashboard version 1.4.6 or later, which contains the fix for this vulnerability. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).