CVE-2025-59588: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-59588) was discovered in PenciDesign's Soledad WordPress theme, affecting versions up to 8.6.8. The vulnerability was reported by João Pedro S Alcântara on September 13, 2025, and was publicly disclosed on September 22, 2025. This security issue has been assigned a CVSS score of 7.5 (High) and is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program, specifically affecting the Soledad WordPress theme. It has been assigned a CVSS v3.1 base score of 7.5 with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires Contributor-level privileges or higher to exploit (NVD, Patchstack).

The vulnerability could allow a malicious actor to include local files of the target website and display their contents on the screen. Of particular concern is the potential access to files containing sensitive information such as database credentials, which could lead to a complete database compromise depending on the system configuration (Patchstack).

The vulnerability has been patched in version 8.6.9 of the Soledad theme. Users are advised to update to version 8.6.9 or later to remediate this security issue (Patchstack).