CVE-2025-49256: 
WordPress vulnerability analysis and mitigation

CVE-2025-49256 is a Local File Inclusion vulnerability discovered in the thembay Sapa WordPress theme affecting versions through 1.1.14. The vulnerability was disclosed on June 11, 2025, and was assigned a CVSS v3.1 base score of 8.1 (High). The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) (Wiz, NVD).

The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It has been assigned a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that it can be exploited remotely without requiring privileges or user interaction (NVD).

This vulnerability could allow malicious actors to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configuration files, could be exposed, potentially leading to complete database compromise depending on the server configuration (Patchstack).

Users are strongly advised to update to Sapa version 1.1.15 or later, which contains the fix for this vulnerability. For immediate protection, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).