CVE-2025-53578: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-53578) was discovered in gavias Kipso theme affecting versions through 1.3.4. The vulnerability was reported by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity on July 24, 2025, and was publicly disclosed on August 23, 2025 (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program (CWE-98). It received a CVSS v3.1 base score of 8.1 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The scoring indicates that the vulnerability is network-accessible, requires no privileges or user interaction, but has high attack complexity. The impact potential is high across confidentiality, integrity, and availability (Patchstack).

This vulnerability could allow an unauthenticated attacker to include and access local files on the target website. Particularly concerning is the potential access to sensitive files containing credentials, such as database configuration files, which could lead to complete database compromise depending on the server configuration (Patchstack).

Users are strongly advised to update to Kipso version 1.3.5 or later, which contains the fix for this vulnerability. For immediate protection, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).