CVE-2025-54701: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-54701) was discovered in ThemeMove's Unicamp WordPress theme, affecting versions through 2.6.3. The vulnerability was disclosed on August 14, 2025, and allows unauthenticated attackers to perform PHP Local File Inclusion attacks (Patchstack).

The vulnerability is classified as a PHP Remote File Inclusion vulnerability (CWE-98) with a CVSS v3.1 base score of 8.1 (High). The attack vector is network-accessible (AV:N) with high attack complexity (AC:H), requires no privileges (PR:N), and no user interaction (UI:N). The scope is unchanged (S:U) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

This vulnerability could allow malicious actors to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configuration files, could be exposed, potentially leading to complete database compromise depending on the server configuration (Patchstack).

The vulnerability has been patched in version 2.6.4 of the Unicamp theme. Users are strongly advised to update to version 2.6.4 or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).