CVE-2025-39383: 
WordPress vulnerability analysis and mitigation

The CVE-2025-39383 vulnerability affects Code Work Web Xews Lite WordPress theme through version 1.0.9. It is classified as a PHP Local File Inclusion vulnerability, specifically an Improper Control of Filename for Include/Require Statement in PHP Program. The vulnerability was discovered and reported by Dimas Maulana on February 20, 2025, and was publicly disclosed on April 21, 2025 (Patchstack).

The vulnerability is classified with CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It received a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability can be exploited by unauthenticated attackers (Patchstack).

This vulnerability could allow malicious actors to include local files of the target website and display their contents. Sensitive files containing credentials, such as database configuration files, could potentially be accessed, leading to complete database compromise depending on the server configuration (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately or consider alternative themes (Patchstack).