Description
Path Traversal: '.../...//' vulnerability in ThimPress Ivy School ivy-school allows PHP Local File Inclusion.This issue affects Ivy School: from n/a through <= 1.6.0.
Published: 2025-04-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal vulnerability in the ThimPress Ivy School WordPress theme allows attackers to include arbitrary local files via PHP Local File Inclusion. LFI can be used to read sensitive files on the server. The flaw is a classic Local File Inclusion identified as CWE-35.

Affected Systems

The vulnerability affects the Ivy School theme distributed by ThimPress, impacting all releases up to and including version 1.6.0. No additional version information is provided, so users of versions 1.6.0 or earlier are at risk.

Risk and Exploitability

The CVSS score of 8.1 classifies this error as high severity, while an EPSS score of less than 1% indicates a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The path traversal can be triggered by sending a crafted URL to the theme, and does not appear to require authentication, meaning an unauthenticated attacker could exploit it.

Generated by OpenCVE AI on May 1, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ivy School theme to the latest version (1.6.1 or later) once it becomes available.
  • If an update cannot be applied immediately, restrict the filesystem permissions of the web server user so that it cannot read sensitive directories such as wp-config.php or the root directory.
  • Configure the web server or use a .htaccess rule to deny PHP execution for the theme’s directories; for example, add "php_flag engine off" in the theme folder to mitigate LFI attempts.

Generated by OpenCVE AI on May 1, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11834 Path Traversal: '.../...//' vulnerability in ThimPress Ivy School allows PHP Local File Inclusion.This issue affects Ivy School: from n/a through 1.6.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Path Traversal: '.../...//' vulnerability in ThimPress Ivy School allows PHP Local File Inclusion.This issue affects Ivy School: from n/a through 1.6.0. Path Traversal: '.../...//' vulnerability in ThimPress Ivy School ivy-school allows PHP Local File Inclusion.This issue affects Ivy School: from n/a through <= 1.6.0.
Title WordPress Ivy School <= 1.6.0 - Local File Inclusion Vulnerability WordPress Ivy School theme <= 1.6.0 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 18 Apr 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 18 Apr 2025 04:45:00 +0000

Type Values Removed Values Added
Description Path Traversal: '.../...//' vulnerability in ThimPress Ivy School allows PHP Local File Inclusion.This issue affects Ivy School: from n/a through 1.6.0.
Title WordPress Ivy School <= 1.6.0 - Local File Inclusion Vulnerability
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:32.232Z

Reserved: 2025-04-16T06:23:43.558Z

Link: CVE-2025-39470

cve-icon Vulnrichment

Updated: 2025-04-18T11:27:55.272Z

cve-icon NVD

Status : Deferred

Published: 2025-04-18T05:15:33.823

Modified: 2026-04-23T15:29:37.457

Link: CVE-2025-39470

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:30:14Z

Weaknesses