CVE-2025-48290: 
WordPress vulnerability analysis and mitigation

CVE-2025-48290 is a Local File Inclusion (LFI) vulnerability affecting multiple WordPress themes by bslthemes. The vulnerability was publicly disclosed on May 20, 2025, and affects several themes including ashley, builty, itsulu, kaffen, kinsley, larson, luique, ober, ruizarch, and samantha. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server (WPScan).

The vulnerability is classified as a Local File Inclusion (LFI) vulnerability with a CVSS score of 9.8 (Critical), falling under the OWASP Top 10 category A1: Injection and CWE-22. The vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to the execution of any PHP code in those files (WPScan, Patchstack).

The vulnerability can be exploited to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. This makes it possible for attackers to execute arbitrary PHP code on the affected server (WPScan).

Fixed versions have been released for all affected themes: ashley (1.8.0), builty (1.5.0), itsulu (1.5.0), kaffen (1.2.6), kinsley (3.4.5), larson (1.6.0), luique (1.3.1), ober (1.3.4), ruizarch (1.2.0), and samantha (1.2.0). Users are advised to update to these patched versions immediately (WPScan).