CVE-2025-39359 HIGH

CVE-2025-39359: WordPress CWW Portfolio theme <= 1.3.1 - Local File Inclusion vulnerability

Vendor Codeworkweb
Product CWW Portfolio
Weakness CWE-98 · PHP file inclusion
Published April 24, 2025
Last update May 12, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codeworkweb CWW Portfolio cww-portfolio allows PHP Local File Inclusion.This issue affects CWW Portfolio: from n/a through <= 1.3.1.

Explanation of Vulnerability in Simple Terms

02Summary

CWW Portfolio versions up to 1.3.1 contain a vulnerability that allows an attacker to read sensitive data, modify site content, or disrupt service. The attack requires network access and user interaction—typically the victim must click a malicious link or visit a crafted page. The vulnerability stems from improper input handling (CWE-98). Site administrators should update immediately when a patch becomes available.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify site content, or cause the site to become unavailable.

Potential impact on your site

04Site Impact

Attackers can steal data, deface your portfolio, or take the site offline without needing a user account.

Conditions required to exploit

05Prerequisites

Victim must click a malicious link or visit an attacker-controlled page; no authentication required.

Key dates

06Disclosure timeline

April 24, 2025 CVE published
May 12, 2026 Record updated