CVE-2025-58994: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability was discovered in the WordPress Greenify theme versions 2.2 and below, identified as CVE-2025-58994. The vulnerability was reported by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity on August 29, 2025, and was publicly disclosed on September 28, 2025. The affected software is the Greenify Solar & Renewable Energy WordPress Theme developed by PBM Infotech Private Limited (Patchstack Database).

The vulnerability has been assigned a CVSS score of 8.1 (High), indicating its serious nature. It is classified under the OWASP Top 10 category A3: Injection. The vulnerability can be exploited without authentication, making it particularly dangerous. The technical vector string for the vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Wordfence Intel).

This vulnerability could allow malicious actors to include local files of the target website and display their contents on the screen. Of particular concern is the potential access to files containing sensitive information such as database credentials, which could lead to a complete database takeover depending on the system configuration (Patchstack Database).

The vulnerability has been patched in version 2.3 of the Greenify theme. Users are strongly advised to update to version 2.3 or later immediately to remove the vulnerability. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack Database).