CVE-2025-49070: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-49070) was discovered in NasaTheme Elessi WordPress theme versions prior to 6.4.1. The vulnerability was disclosed on July 1, 2025, and was assigned a CVSS v3.1 base score of 7.5 (High) (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion) vulnerability (CWE-98). It has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with high attack complexity, requiring low privileges, no user interaction, and potentially resulting in high impacts to confidentiality, integrity, and availability (NVD).

This vulnerability could allow a malicious actor with subscriber-level privileges to include local files of the target website and display their contents. Files containing sensitive information, such as database credentials, could potentially be exposed, leading to complete database compromise depending on the configuration (Patchstack).

Users are strongly advised to update to Elessi theme version 6.4.1 or later to resolve this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).