CVE-2025-49879 HIGH

CVE-2025-49879: WordPress Litho theme <= 3.0 - Arbitrary File Deletion Vulnerability

Vendor Themezaa
Product Litho
Weakness CWE-22 · Path traversal
Published June 17, 2025
Last update April 28, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in themezaa Litho litho allows Path Traversal.This issue affects Litho: from n/a through <= 3.0.

Explanation of Vulnerability in Simple Terms

02Summary

Litho versions 3.0 and earlier contain a path traversal vulnerability that allows an attacker to cause a denial of service by making the application unavailable. The vulnerability requires no authentication or user interaction and can be exploited over the network. The impact extends beyond the vulnerable component itself.

What an attacker can do

03Attacker Capabilities

Make the Litho application unavailable or unresponsive by exploiting a path traversal flaw.

Potential impact on your site

04Site Impact

Your site using Litho may become unavailable or experience service disruption without warning.

Conditions required to exploit

05Prerequisites

Network access to the Litho application. No authentication or user interaction required.

Key dates

06Disclosure timeline

June 17, 2025 CVE published
April 28, 2026 Record updated