CVE-2025-31632: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-31632) was discovered in SpyroPress La Boom WordPress theme versions through 2.7. The vulnerability was initially reported on April 9, 2025, by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity, and was publicly disclosed on May 21, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (NVD, Patchstack).

The vulnerability has received a CVSS v3.1 base score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with no privileges required. The vulnerability is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The security flaw allows unauthenticated attackers to perform Local File Inclusion attacks (Patchstack).

The vulnerability could allow malicious actors to include and view local files from the target website. This could potentially expose sensitive information, including database credentials, which might lead to complete database compromise depending on the server configuration (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website owners are advised to implement immediate mitigation measures (Patchstack).