Attack Vectors

Yozi – Multipurpose Electronics WooCommerce WordPress Theme (slug: yozi) versions up to and including 2.0.63 are affected by CVE-2025-32289, a Critical vulnerability (CVSS 9.8; vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Because this issue is unauthenticated, attackers can attempt exploitation remotely over the internet without needing a login. In practical terms, that means any public-facing WordPress site running the vulnerable Yozi theme could be probed and targeted directly, including high-traffic marketing and ecommerce storefronts.

Security Weakness

The vulnerability is a Local File Inclusion (LFI) weakness in the Yozi theme. LFI can allow an attacker to include files from the server in a way that may lead to exposing sensitive data or, in some cases, executing code if the attacker can get a malicious file onto the server and then include it.

According to the published advisory, this weakness can be used to bypass access controls, obtain sensitive data, or achieve code execution in scenarios where files that appear “safe” (such as images or similar types) can be uploaded and then included.

Technical or Business Impacts

For business leaders, the biggest concern with a Critical LFI is that it can move quickly from a “website bug” to a company-wide incident. Potential outcomes include data exposure (customer data, order details, internal configuration), site defacement, and loss of availability for revenue-generating pages and checkout flows.

If code execution is achieved, attackers may be able to establish persistence (e.g., backdoors), inject malicious content into marketing pages, redirect paid-traffic landing pages, or abuse the site’s reputation for phishing. This can drive brand damage, lost conversion, and ad platform disruptions if malicious activity is detected.

From a compliance and governance perspective, unauthorized access to sensitive information can trigger breach notification obligations, contractual reporting requirements, and additional audit scrutiny. Even when no regulated data is confirmed as exfiltrated, incident response, forensics, and downtime can create meaningful unplanned cost and leadership distraction.

Remediation: Update Yozi to version 2.0.66.1 or newer (patched). Track the CVE record here: CVE-2025-32289. Source advisory: Wordfence vulnerability intelligence.

Similar Attacks

Local File Inclusion and related “path traversal” flaws have been used across the industry to expose sensitive files and, in some cases, enable further compromise. Examples include:

CVE-2021-41773 (Apache HTTP Server 2.4.49 Path Traversal / File Disclosure)
CVE-2020-1938 (Apache Tomcat “Ghostcat” – file read/inclusion via AJP)