HighPublic exploit

Arbitrary File Download / LFI in The Wound WordPress Theme force_download.php

IdentifiersCVE-2025-2558CWE-22

CVE-2025-2558 affects The Wound WordPress theme through version 0.0.1. The theme does not properly validate user-supplied parameters before using them to construct filesystem paths that are passed to PHP include/file handling logic. According to the provided evidence, the vulnerable endpoint is /wp-content/themes/the-wound/force_download.php, which accepts a file parameter. An unauthenticated attacker can supply directory traversal sequences such as ../../../wp-config.php to escape the intended directory and cause the application to return arbitrary local files from the server. The supplied validation output shows successful retrieval of wp-config.php with HTTP 200 and a Content-Disposition attachment response, confirming arbitrary file read/download via path traversal/local file inclusion style behavior.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated arbitrary file disclosure from the underlying server. In the demonstrated case, attackers can retrieve wp-config.php, exposing WordPress database credentials, configuration values, and authentication keys/salts. This can enable compromise of the WordPress instance, database access, credential theft, further application compromise, and follow-on attacks against the hosting environment depending on what files are readable.

Mitigation

If you can’t patch tonight, do this now.

Immediately restrict public access to /wp-content/themes/the-wound/force_download.php or remove the file if it is not required. Deploy WAF or web server rules to block requests containing traversal patterns such as ../ in the file parameter. Limit filesystem permissions so the web application cannot read sensitive files beyond what is operationally necessary. Monitor logs for requests to force_download.php and attempts to access wp-config.php or other sensitive paths. If compromise is suspected, rotate WordPress salts, database credentials, and any other secrets stored in readable configuration files.

Remediation

Patch, then assume compromise.

Upgrade to a fixed version of The Wound theme if one is made available by the vendor. If no patched release exists, remove or disable the vulnerable theme, especially the force_download.php functionality. The vulnerable code should be corrected by strictly validating and canonicalizing the requested path, rejecting traversal sequences, and enforcing an allowlist of permitted downloadable files from a fixed directory outside attacker control. Avoid passing unsanitized user input into include or file access functions.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

The Wound ProjectThe Woundapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

nuclei templates pull requestsNews

Apr 9, 2026

Create CVE-2025-2558.yaml by pussycat0x · Pull Request #15851 · projectdiscovery/nuclei-templates · GitHub

A high-severity arbitrary file download/path traversal vulnerability in the WordPress theme 'The Wound', where force_download.php can be abused to retrieve sensitive files such as wp-config.php via directory traversal.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-2558

NVD

nvd.nist.gov/vuln/detail/CVE-2025-2558

MITRE CWE · CWE-22

cwe.mitre.org

Third Party Advisory

wpscan.com/vulnerability/6a8e1c89-a01d-4347-91fc-ba454784b153