CVE-2025-53567: 
WordPress vulnerability analysis and mitigation

The CVE-2025-53567 is a Local File Inclusion vulnerability affecting Ghost Kit WordPress plugin versions through 3.4.1. The vulnerability was discovered on July 16, 2025, and is classified as a high-severity issue with a CVSS v3.1 base score of 8.1. The vulnerability stems from Improper Control of Filename for Include/Require Statement in PHP Program, allowing unauthenticated attackers to perform PHP Local File Inclusion attacks (Patchstack, AttackerKB).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The attack vector is Network-based, with high attack complexity, requiring no privileges or user interaction. The impact scores are high for confidentiality, integrity, and availability (AttackerKB).

This vulnerability could allow malicious actors to include local files of the target website and display their contents. Particularly concerning is the potential access to files containing sensitive information such as database credentials, which could lead to complete database compromise depending on the system configuration (Patchstack).

The vulnerability has been patched in Ghost Kit version 3.4.2. Users are strongly advised to update to version 3.4.2 or later immediately. For temporary mitigation, Patchstack has issued a virtual patch to block potential attacks until the update can be applied (Patchstack).