Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable unauthenticated LFI (AV:N/PR:N/UI:N); AC:H for parameter/traversal discovery; full C:H from arbitrary file read, but I/A only Low absent confirmed RCE path.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Local File Inclusion in Food Drop <= 1.3 versions.
AnalysisAI
Unauthenticated local file inclusion in the Food Drop WordPress theme versions 1.3 and earlier allows remote attackers to read arbitrary server files or potentially achieve PHP code execution by abusing an improperly controlled include/require path (CWE-98). The flaw was disclosed by Patchstack and tracked as EUVD-2025-210202; no public exploit code or active exploitation has been identified at time of analysis, but the network-reachable, no-auth attack surface makes it a meaningful risk for any site running this theme.
Technical ContextAI
The affected component is the Food Drop WordPress theme (CPE cpe:2.3:a:themerex:food_drop) published by ThemeRex, a PHP-based theme typically deployed on the front-end of WordPress sites. CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program - 'PHP Remote File Inclusion') indicates the theme passes user-controlled input into a PHP include(), require(), include_once() or require_once() call without proper sanitization or allow-listing. In WordPress themes this typically appears as a parameter that selects a template, view, or partial file; if the value is not constrained to a known set, an attacker can traverse the filesystem (../) or, with allow_url_include enabled, reference external resources, leading to disclosure of files such as wp-config.php or execution of attacker-controlled PHP.
RemediationAI
Upstream fix available per the Patchstack advisory; a released patched version is not independently confirmed from the provided data, so administrators should upgrade Food Drop to the latest vendor release above 1.3 once published and verify the version on disk after upgrade - consult https://patchstack.com/database/wordpress/theme/food-drop/vulnerability/wordpress-food-drop-theme-1-3-local-file-inclusion-vulnerability for the authoritative fix reference. Until a fixed build is applied, compensating controls include deactivating and removing the Food Drop theme and switching to an unaffected theme (side effect: site appearance changes), placing a WAF rule in front of WordPress that blocks path-traversal sequences (../, encoded variants, php://, file://) and known-bad parameter values on theme endpoints (side effect: may break legitimate template selection in edge cases), setting PHP's allow_url_include=Off and tightening open_basedir to the WordPress document root (side effect: may impact plugins that rely on remote includes), and restricting filesystem read permissions on sensitive files like wp-config.php to the web user only.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-98 – PHP Remote File Inclusion
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210202