CVE-2025-52729: 
WordPress vulnerability analysis and mitigation

CVE-2025-52729 is a Local File Inclusion vulnerability discovered in the WordPress Diza theme versions 1.3.9 and below. The vulnerability was initially reported on June 10, 2025, by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity and was officially published on July 1, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, affecting the thembay Diza WordPress theme (Patchstack, NVD).

The vulnerability is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has received a CVSS v3.1 score of 8.1 (High). The technical assessment indicates that this is an unauthenticated vulnerability, meaning it can be exploited without requiring user authentication. The CVSS vector string is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, high attack complexity, and potential for high impact across confidentiality, integrity, and availability (Patchstack).

The vulnerability allows malicious actors to include local files of the target website and display their contents on the screen. Of particular concern is the potential access to files containing sensitive information such as database credentials, which could lead to a complete database takeover depending on the system configuration (Patchstack).

The vulnerability has been fixed in version 1.3.11 of the Diza theme. Users are strongly advised to update to version 1.3.11 or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).