CVE-2025-32302: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-32302) was discovered in the WordPress theme Winnex versions through 1.3.2. The vulnerability was reported by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity on April 9, 2025, and was publicly disclosed on May 21, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, specifically affecting the gavias Winnex theme (Patchstack).

The vulnerability is categorized as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It has received multiple severity assessments, with a CVSS v3.1 Base Score of 8.1 (High) according to Patchstack, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires no authentication to exploit and affects the core functionality of the theme (NVD, Patchstack).

The vulnerability could allow malicious actors to include and access local files on the target website, potentially exposing sensitive information. Of particular concern is the potential access to files containing credentials, such as database configurations, which could lead to complete database compromise depending on the server configuration (Patchstack).

As of the disclosure, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website owners are advised to implement immediate mitigation measures due to the high-risk nature of the vulnerability (Patchstack).