CVE-2025-49296: 
WordPress vulnerability analysis and mitigation

Path Traversal vulnerability (CVE-2025-49296) was discovered in Mikado-Themes GrandPrix WordPress theme, affecting versions up to 1.6. The vulnerability was disclosed on June 9, 2025, and allows PHP Local File Inclusion attacks (Patchstack, NVD).

The vulnerability is classified as a Path Traversal vulnerability (CWE-35) that enables PHP Local File Inclusion. It received a CVSS v3.1 Base Score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that it can be exploited remotely without requiring privileges or user interaction (Patchstack).

This vulnerability is considered highly dangerous and expected to become mass exploited. It could allow malicious actors to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configurations, could potentially lead to complete database takeover depending on the system configuration (Patchstack).

Users are strongly advised to update to version 1.6.1 or later which contains the fix for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).