CVE-2025-54690: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-54690) was discovered in themeStek's Xinterio WordPress theme affecting versions up to 4.2. The vulnerability was reported by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity on July 5, 2025, and was publicly disclosed on August 6, 2025 (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion) vulnerability, identified as CWE-98. It received a CVSS v3.1 score of 8.1 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with high attack complexity, no privileges required, and potential for high impacts on confidentiality, integrity, and availability (Patchstack).

This vulnerability could allow malicious actors to include and access local files of the target website, potentially exposing sensitive information. Of particular concern is the potential access to files containing credentials, such as database configurations, which could lead to complete database compromise depending on the system configuration (Patchstack).

The vulnerability has been fixed in version 4.3 of the Xinterio theme. Users are strongly advised to update to version 4.3 or later immediately. For immediate protection, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).