CVE-2025-48149: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-48149) was discovered in dedalx Cook&Meal WordPress theme affecting versions through 1.2.3. The vulnerability was disclosed on July 30, 2025, and involves improper control of filename for include/require statements in PHP programs (Patchstack).

The vulnerability is classified as a PHP Local File Inclusion issue with a CVSS v3.1 base score of 8.1 (HIGH), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is tracked under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) (NVD).

This vulnerability could allow malicious actors to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configurations, could be exposed, potentially leading to complete database takeover depending on the system configuration (Patchstack).

The vulnerability has been fixed in version 1.2.4 of the Cook&Meal theme. Users are advised to update to version 1.2.4 or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users can update to the fixed version (Patchstack).