CVE-2025-54689: 
WordPress vulnerability analysis and mitigation

The CVE-2025-54689 is a Local File Inclusion vulnerability affecting the Urna WordPress theme versions through 2.5.7. The vulnerability was discovered by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity and was disclosed on August 6, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 8.1 (High), with an Impact Score of 5.9 and Exploitability Score of 2.2. The attack vector is Network-based (AV:N) with High attack complexity (AC:H), requiring no privileges (PR:N) and no user interaction (UI:N). The scope is unchanged (S:U), with High impact on Confidentiality, Integrity, and Availability (C:H/I:H/A:H) (AttackerKB).

This Local File Inclusion vulnerability could allow malicious actors to include and display local files from the target website. Particularly concerning is the potential access to files containing sensitive information such as database credentials, which could lead to a complete database compromise depending on the system configuration (Patchstack).

The vulnerability has been patched in Urna version 2.5.8. Users are strongly advised to update to this version or later to resolve the security issue. Additionally, Patchstack has issued a virtual patch to mitigate this vulnerability by blocking potential attacks until users can update to the fixed version (Patchstack).