Attack Vectors

Domnoo – Pizza & Restaurant WordPress Theme (slug: domnoo) has a High-severity vulnerability (CVSS 8.1) identified as CVE-2025-52812. Because the issue is unauthenticated, an attacker can target exposed WordPress sites running Domnoo versions up to and including 1.49 without needing a user account.

In practical terms, an attacker can send crafted web requests designed to make the site include local files from the server. If the attacker can get a file onto the server that contains PHP code (including scenarios where “safe” file types can be uploaded and then included), this can be leveraged to run that code through the website.

Security Weakness

This vulnerability is a Local File Inclusion (LFI) weakness in Domnoo (versions ≤ 1.49). LFI occurs when a website feature allows a user-controlled value to determine which file is loaded by the server, without sufficient validation or restriction.

According to the published advisory, successful exploitation can allow attackers to include and execute arbitrary files on the server, which may enable bypassing access controls, accessing sensitive information, or achieving code execution when files containing PHP can be uploaded and then included.

Technical or Business Impacts

Because this issue can lead to sensitive data exposure and potential code execution, the business risk is significant—especially for restaurant brands and franchises where websites often connect to marketing analytics, contact forms, and sometimes operational tooling.

Potential impacts include website takeover, unauthorized access to confidential information (such as configuration files or data exposed through included files), service disruption, SEO spam and brand damage, and incident response costs. For compliance stakeholders, a successful attack may trigger breach assessment and reporting obligations depending on what data is accessible through the site.

Remediation: Update Domnoo to version 1.52.1 or a newer patched version as recommended by the source advisory. After updating, consider reviewing site logs and file integrity for signs of exploitation, particularly if the site is publicly accessible and was running a vulnerable version.

Similar Attacks

File inclusion and related “read local files / execute code” attack patterns are commonly abused because they can quickly escalate from a single web request into full site compromise. Examples of similar high-impact issues include:

CVE-2021-41773 (Apache HTTP Server path traversal and file disclosure)
CVE-2021-42013 (Apache HTTP Server path traversal with potential RCE under certain configurations)

For reference on this Domnoo vulnerability specifically, see the published details from Wordfence: Domnoo <= 1.49 – Unauthenticated Local File Inclusion.