CVE-2025-39507: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability was discovered in NasaTheme Nasa Core WordPress plugin, identified as CVE-2025-39507. The vulnerability affects versions through 6.3.2 and was disclosed on May 16, 2025. This security issue is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (NVD, Patchstack).

The vulnerability is categorized as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It has received a CVSS v3.1 base score of 7.5 (High), with the following vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The attack vector is network-based with high attack complexity, requiring low privileges and no user interaction. The scope is unchanged with high impact on confidentiality, integrity, and availability (Patchstack).

The vulnerability could enable an attacker to include local files of the target website and display their contents. This could potentially lead to exposure of sensitive information, including database credentials, which might result in complete database compromise depending on the configuration (Patchstack).

Currently, there is no official fix available for this vulnerability. The issue affects Nasa Core versions through 6.3.2 (Patchstack).