CVE-2025-49260: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-49260) was discovered in the WordPress theme Aora, affecting versions up to 1.3.9. The vulnerability was initially reported on April 30, 2025, by security researcher Phat RiO from BlueRock and was publicly disclosed on June 11, 2025. This unauthenticated vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and received a high CVSS score of 8.1 (Wiz, Patchstack).

The vulnerability is categorized as CWE-98, specifically a PHP Local File Inclusion vulnerability. The CVSS vector string is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability can be exploited remotely without requiring authentication or user interaction (NVD).

The vulnerability could enable malicious actors to include and view local files from the target website. This could potentially expose sensitive information, including database credentials, which might lead to a complete database compromise depending on the server configuration. The high CVSS score of 8.1 indicates the serious nature of this vulnerability (Patchstack).

The vulnerability has been fixed in Aora version 1.3.10. Users are strongly advised to update to this version or later immediately. For temporary mitigation, Patchstack has issued a virtual patch to block potential attacks until the update can be applied (Wiz, Patchstack).