Wanderland WordPress Theme CVE-2025-39467
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Path Traversal: '.../...//' vulnerability in Mikado-Themes Wanderland wanderland allows PHP Local File Inclusion.This issue affects Wanderland: from n/a through <= 1.7.1.
AnalysisAI
Path traversal vulnerability in Wanderland WordPress theme versions ≤1.7.1 enables remote unauthenticated PHP local file inclusion through crafted '.../...//' patterns. Successful exploitation allows reading arbitrary PHP files on the server, potentially exposing database credentials, configuration secrets, or achieving remote code execution if writable paths exist. EPSS score of 0.05% (17th percentile) indicates relatively low probability of mass exploitation, and no evidence of active exploitation in CISA KEV. Attack complexity is rated High (AC:H), suggesting exploitation requires specific timing, configuration conditions, or race conditions despite the remote unauthenticated attack vector.
Technical ContextAI
This vulnerability exploits CWE-35 (Path Traversal: '.../...//' pattern), a variant of directory traversal that uses nested triple-dot sequences to bypass common sanitization filters that only block single '../' patterns. The affected product is Wanderland, a WordPress theme developed by Qode Interactive (Mikado Themes), as identified by CPE cpe:2.3:a:qodeinteractive:wanderland:*:*:*:*:*:wordpress:*:*. In WordPress theme architecture, local file inclusion vulnerabilities typically occur when user-supplied input is passed to PHP include(), require(), or file reading functions without proper path validation. The '.../...//' pattern can circumvent naive regex filters that look for standard '../' sequences, allowing attackers to traverse directory structures and include arbitrary PHP files. This can expose sensitive configuration files like wp-config.php containing database credentials, or enable remote code execution if attackers can include uploaded files or log files containing malicious PHP code.
RemediationAI
Upgrade Wanderland WordPress theme to version 1.7.2 or later if available-verify patched version with Qode Interactive or through the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/wanderland/vulnerability/wordpress-wanderland-1-7-1-local-file-inclusion-vulnerability. If immediate upgrade is not feasible, implement compensating controls: disable the Wanderland theme and switch to a secure alternative WordPress theme until patching is complete (eliminates attack surface entirely but requires theme reconfiguration); restrict access to WordPress admin areas and theme file handlers via Web Application Firewall rules that block requests containing triple-dot patterns ('...') in URL parameters (may cause false positives for legitimate filenames); enable PHP open_basedir restrictions in php.ini to confine file operations to WordPress installation directories only (prevents traversal to system files but may break legitimate theme functionality requiring access to system paths). Monitor web server access logs for suspicious patterns containing encoded or nested directory traversal sequences targeting theme endpoints. Note patched version number not independently confirmed from available data-consult vendor directly for release information.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-35 – Path Traversal: '.../...//'
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today