A high-severity vulnerability has been identified in the Soledad theme for WordPress, impacting all versions up to and including version 8. This flaw, tracked as CVE-2025-8142, allows an unauthenticated attacker to access and read sensitive files on the web server. Successful exploitation could lead to the exposure of confidential data, such as database credentials, ultimately resulting in a complete compromise of the affected website.

The vulnerability is a Local File Inclusion (LFI). This occurs because the application uses user-supplied input to construct a path to a file that is intended for inclusion on the web page without proper validation. An unauthenticated remote attacker can exploit this by crafting a special request that manipulates the file path, tricking the server into reading and displaying the contents of arbitrary files on the local file system. For example, an attacker could potentially read the wp-config.php file to obtain database credentials or system files like /etc/passwd to gather user information.

This vulnerability presents a significant risk to the organization, reflected by its High severity rating with a CVSS score of 8.8. Exploitation can lead to the unauthorized disclosure of sensitive information, including customer data, intellectual property, and critical system configuration files. The theft of database credentials from wp-config.php could allow an attacker to gain full control over the website's database, leading to data theft, modification, or destruction. This could result in severe reputational damage, financial loss, and potential regulatory fines.

Immediate Action: Immediately update the Soledad WordPress theme to the latest version available from the vendor, which is a version greater than 8. After updating, review all installed WordPress plugins and themes to ensure they are necessary and up-to-date, removing any that are no longer required to reduce the overall attack surface.

Proactive Monitoring: Monitor web server access logs for requests containing directory traversal patterns (e.g., ../, ..%2f, %2e%2e%2f) or attempts to access sensitive files like wp-config.php, /etc/passwd, or other system configuration files. A sudden increase in HTTP 404 or 500 error codes from a specific IP address could also indicate scanning or exploitation attempts.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rulesets designed to detect and block Local File Inclusion and directory traversal attacks. Additionally, enforce strict file permissions on the web server to limit the files that the web server's user account is permitted to read, preventing access to critical system files outside of the web root directory.

Public Exploit Available: true

Given the high CVSS score of 8.8 and the public availability of exploit code, this vulnerability should be treated as a critical priority. We strongly recommend that all organizations using the Soledad WordPress theme immediately apply the vendor-supplied update. Although this CVE is not currently listed on the CISA KEV catalog, its severity and the ease of exploitation warrant immediate attention to prevent potential data breaches and system compromise.