CVE-2025-39463: 
WordPress vulnerability analysis and mitigation

CVE-2025-39463 is a Local File Inclusion vulnerability affecting Select-Themes Dessau WordPress theme versions prior to 1.9. The vulnerability was discovered and disclosed on November 6, 2025, and is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (AttackerKB, Patchstack).

The vulnerability is rated with a CVSS score of 7.5, indicating a high severity level. It allows attackers to perform Local File Inclusion attacks against WordPress websites running the vulnerable Dessau theme. The vulnerability exists in the theme's file handling mechanism and can be exploited without authentication (Patchstack).

If exploited, this vulnerability could allow malicious actors to include and view the contents of local files on the target website. This could potentially expose sensitive information such as database credentials, depending on the server configuration, which could lead to complete database compromise (Patchstack).

The vulnerability has been fixed in version 1.9 of the Dessau theme. Users are strongly advised to update to version 1.9 or later immediately. Additionally, Patchstack has issued a mitigation rule to block potential attacks until users can update to the fixed version (Patchstack).