PHP Remote File Inclusion Vulnerability in ThemBay Urna Theme
CVE-2025-54689

8.1HIGH

Key Information:

Vendor: WordPress
Status: Urna
Vendor: CVE Published:; 14 August 2025

What is CVE-2025-54689?

The vulnerability in the ThemBay Urna theme arises from improper control of filenames used with include or require statements in PHP. This flaw enables local file inclusion, allowing an attacker to execute files on the server and potentially gain unauthorized access to sensitive information. Affected versions include Urna theme up to 2.5.7, which leaves WordPress sites at risk if not mitigated.

Affected Version(s)

Urna <= 2.5.7

References

https://patchstack.com/database/wordpress/theme/urna/vuln...

vdb-entry

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 14, 2025
Vulnerability Reserved
Jul 28, 2025

Credit

Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) (Patchstack Alliance)