CVE-2025-48160: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-48160) was discovered in CocoBasic Caliris WordPress theme affecting versions up to 1.5. The vulnerability was reported on April 28, 2025, and publicly disclosed on July 22, 2025. This security flaw stems from improper control of filename for include/require statements in PHP programming (Debian Security, Patchstack Database).

The vulnerability has been assigned a CVSS score of 8.1, indicating high severity. It is classified as an A3: Injection vulnerability according to the OWASP Top 10. The security flaw allows for unauthenticated Local File Inclusion attacks, which involves improper control of filename for include/require statements in PHP programming (Patchstack Database).

This vulnerability could enable malicious actors to include and access local files on the target website and display their contents. Particularly concerning is the potential access to sensitive files containing credentials, such as database configuration files, which could lead to complete database compromise depending on the server configuration (Patchstack Database).

The vulnerability has been patched in version 1.6 of the Caliris theme. Users are strongly advised to update to version 1.6 or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack Database).