CVE-2025-49258: 
WordPress vulnerability analysis and mitigation

CVE-2025-49258 is a Local File Inclusion vulnerability discovered in thembay Maia WordPress theme affecting versions through 1.1.15. The vulnerability was initially reported by Phat RiO - BlueRock on April 30, 2025, and was publicly disclosed on June 11, 2025. This security issue is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (Wiz, Patchstack).

The vulnerability has been assigned a CVSS v3.1 score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. It is tracked under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The vulnerability allows for PHP Local File Inclusion, which could potentially expose sensitive system files (Patchstack).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents. Of particular concern is the potential access to files containing sensitive information such as database credentials, which could lead to a complete database takeover depending on the configuration (Patchstack).

Users are advised to update to version 1.1.16 or later to resolve the vulnerability. For immediate protection, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).