Plattform
wordpress
Komponente
litho
Behoben in
3.0.1
CVE-2025-49879 describes an Arbitrary File Access vulnerability within the themezaa Litho WordPress theme. This flaw allows attackers to potentially read arbitrary files on the server by manipulating file paths. The vulnerability impacts versions of Litho from 0.0.0 through 3.0, and a patch is available in version 3.0.1.
The Arbitrary File Access vulnerability in Litho allows an attacker to bypass intended access controls and read arbitrary files on the web server. This could expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress site and potentially the underlying server. The attacker could leverage this access to escalate privileges, install malware, or steal user data. While no direct precedent is immediately obvious, path traversal vulnerabilities are frequently exploited to gain unauthorized access to system resources.
CVE-2025-49879 was published on 2025-06-17. The vulnerability's severity is considered HIGH. No public proof-of-concept exploits are currently known, and there's no indication of active exploitation campaigns. It is not listed on the CISA KEV catalog at the time of this writing.
WordPress websites using the themezaa Litho theme, particularly those running versions 0.0.0 through 3.0, are at risk. Shared hosting environments where users have limited control over theme updates are especially vulnerable. Sites with sensitive data stored on the server are at higher risk of compromise.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/themes/litho/*• generic web:
curl -I 'http://example.com/wp-content/themes/litho/../../../../etc/passwd'disclosure
Exploit-Status
EPSS
0.10% (26% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-49879 is to immediately upgrade the Litho WordPress theme to version 3.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences (e.g., ../). Additionally, restrict file permissions on sensitive files to prevent unauthorized access. Regularly review WordPress plugin and theme updates to address potential vulnerabilities proactively. After upgrading, confirm the vulnerability is resolved by attempting to access a restricted file via a path traversal request and verifying that access is denied.
Actualice el tema Litho a una versión corregida. Verifique el sitio web del desarrollador o el repositorio de WordPress para obtener la última versión disponible. Como no se especifica una versión corregida en el CVE, contacte al desarrollador para obtener más información.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-49879 is a HIGH severity vulnerability in the Litho WordPress theme allowing attackers to read arbitrary files via path traversal. It affects versions 0.0.0–3.0.
You are affected if your WordPress site uses the Litho theme and is running version 3.0 or earlier. Upgrade to 3.0.1 to resolve the issue.
Upgrade the Litho WordPress theme to version 3.0.1 or later. As a temporary workaround, implement a WAF rule to block path traversal attempts.
There is currently no indication that CVE-2025-49879 is being actively exploited, but it's crucial to apply the patch promptly.
Refer to the themezaa website or WordPress plugin repository for the official advisory and update information regarding CVE-2025-49879.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.