CVE-2025-54709: 
WordPress vulnerability analysis and mitigation

CVE-2025-54709 is a Local File Inclusion vulnerability affecting the WordPress theme Sala versions through 1.1.6, discovered by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity. The vulnerability was disclosed on August 20, 2025, and has been assigned a CVSS v3 Base Score of 8.1 (High severity) (Patchstack, AttackerKB).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'). It has been assigned a CVSS v3 Base Score of 8.1, with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The attack vector is Network-based, requires no privileges or user interaction, though it has high attack complexity (AttackerKB).

This vulnerability could allow an unauthenticated attacker to include local files of the target website and display their contents. Particularly concerning is the potential access to files containing sensitive information such as database credentials, which could lead to a complete database compromise depending on the system configuration (Patchstack).

The vulnerability has been fixed in Sala version 1.1.7. Users are strongly advised to update to version 1.1.7 or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).