CVE-2025-49383: 
WordPress vulnerability analysis and mitigation

CVE-2025-49383 is a Local File Inclusion vulnerability discovered in CocoBasic Neresa WordPress theme versions up to 1.3. The vulnerability was disclosed on August 27, 2025, and was identified by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity. The issue is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (Patchstack).

The vulnerability is categorized as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has received a CVSS v3.1 Base Score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability allows for PHP Local File Inclusion and can be exploited without authentication (Patchstack).

This vulnerability could allow malicious actors to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configuration files, could be exposed, potentially leading to complete database compromise depending on the server configuration (Patchstack).

The vulnerability has been fixed in version 1.4 of the Neresa theme. Users are strongly advised to update to version 1.4 or later immediately. For temporary mitigation, Patchstack has issued a virtual patch to block potential attacks until the update can be applied (Patchstack).