Attack Vectors

Kiamo – Responsive Business Service WordPress Theme (slug: kiamo) has a Critical vulnerability (CVE-2025-31633, CVSS 9.8) that can be exploited remotely by an attacker with no login required. Because this is an Unauthenticated Local File Inclusion (LFI) issue affecting versions before 1.3.6, attackers can target public-facing sites directly over the internet.

In practical terms, this class of attack is often attempted against organizations running WordPress sites that also allow file uploads (for example, through forms, media uploads, or other website features). If an attacker can get a “safe-looking” file onto the server and then force the theme to include it, that can become a pathway to execute unwanted code.

Security Weakness

The underlying weakness is a Local File Inclusion flaw in Kiamo – Responsive Business Service WordPress Theme versions up to, and excluding, 1.3.6. According to the published advisory, this can allow unauthenticated attackers to include and execute arbitrary files on the server, enabling execution of any PHP code present in those files.

This matters because it can be used to bypass access controls, obtain sensitive data, or achieve code execution—particularly in scenarios where files that appear non-executable (like images or other “safe” file types) can still be uploaded and then included in a way that leads to server-side execution.

Remediation: Update the theme to version 1.3.6 or a newer patched version. References: CVE-2025-31633 and the Wordfence advisory source here.

Technical or Business Impacts

Because the reported severity is Critical and exploitation is unauthenticated, the business risk is immediate for any site still running a vulnerable version of the Kiamo theme. Successful exploitation can lead to outcomes associated with code execution, including unauthorized access to content, files, and data stored on the server.

From a business perspective, likely impacts include website downtime, loss of customer trust, damage to brand reputation, and potential regulatory or contractual exposure if sensitive data is accessed (for example, data tied to inquiries, leads, or customer communications). Marketing and sales teams may also see direct revenue impact if landing pages are disrupted, SEO rankings drop due to site defacement/malware flags, or paid campaigns are paused because the site is deemed unsafe.

Similar Attacks

Unauthenticated file inclusion and path traversal issues are a recurring pattern across web platforms, often leading to data exposure and, in some cases, remote code execution. Examples of well-documented, similar classes of vulnerabilities include:

CVE-2021-41773 (Apache HTTP Server 2.4.49 Path Traversal / File Disclosure)
CVE-2021-42013 (Apache HTTP Server Path Traversal; may lead to RCE in some configurations)
CVE-2019-9978 (WordPress plugin “Social Warfare” – file inclusion leading to remote code execution)