CVE-2025-2558

HIGH NUCLEI

The-wound WordPress <0.0.1 - Path Traversal

Title source: llm

Description

The-wound WordPress theme through 0.0.1 does not validate some parameters before using them to generate paths passed to include function/s, allowing unauthenticated users to perform LFI attacks and download arbitrary file from the server

Nuclei Templates (1)

WordPress The Wound Theme <= 0.0.1 - Local File Inclusion

HIGHVERIFIEDby pussycat0x

Shodan: http.component:"WordPress"

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/6a8e1c89-a01d-4347-91fc-ba454784b153/

Scores

CVSS v3 8.6

EPSS 0.1115

EPSS Percentile 93.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Details

Status published

Products (1)

the_wound_project/the_wound < 0.0.1

Published Apr 24, 2025

Tracked Since Feb 18, 2026