CVE-2025-39360: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability was discovered in the Grace Mag WordPress theme, identified as CVE-2025-39360. The vulnerability affects versions through 1.1.5 of the Grace Mag theme developed by everestthemes. The issue was initially reported on February 16, 2025, and was publicly disclosed on April 21, 2025 (Patchstack Database).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program, also known as PHP Remote File Inclusion. It has been assigned CWE-98. The vulnerability received a CVSS v3.1 score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network accessibility with high attack complexity, no privileges required, and user interaction required (Patchstack Database).

The vulnerability could allow malicious actors to include local files of the target website and display their contents. This could potentially expose sensitive information, including database credentials, which might lead to complete database compromise depending on the configuration. The software is considered abandoned as it hasn't been updated for over a year, increasing the risk for users (Patchstack Database).

No official fix is currently available for this vulnerability. The recommended mitigation steps include either removing and replacing the software or implementing virtual patching through security solutions. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack Database).