Attack Vectors

CVE-2025-24761 affects the DSK – Furniture Store WooCommerce WordPress Theme (slug: dsk) in versions below 2.4. Because the issue is unauthenticated, an external attacker can target a vulnerable site over the internet without needing a username or password.

The vulnerable behavior is a Local File Inclusion (LFI) condition. In practical terms, an attacker may be able to force the site to load (“include”) files from the server. If the attacker can get a file onto the server (for example, by abusing any existing upload capability on the site or within another plugin/theme), they may be able to have WordPress execute the PHP code inside that file.

Security Weakness

This is a Critical vulnerability (CVSS 9.8; vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) stemming from insufficient controls around what files the theme will load and execute. The result is that user-controlled input can potentially influence which local server file gets included.

Wordfence’s advisory states that this can be used to bypass access controls, obtain sensitive data, or achieve code execution in scenarios where files that appear “safe” (such as images or other uploadable types) can be uploaded and then included in a way that triggers PHP execution.

Technical or Business Impacts

For business leaders, the risk is not limited to “a bug in a theme.” A successful exploit can translate into full site compromise, including the ability to steal or manipulate data and disrupt operations. Because the attacker does not need credentials, this can be leveraged in broad, automated attacks that scan for vulnerable sites.

Potential impacts include: loss of confidentiality (exposure of customer or order data), integrity issues (content changes, malware injection, unauthorized redirects that harm brand trust and SEO), and availability disruption (site downtime impacting revenue). If your organization has compliance obligations, an incident may trigger breach reporting, legal review, and third-party forensics—often far more costly than the underlying fix.

Remediation: Update the DSK theme to version 2.4 or a newer patched release. Reference: Wordfence vulnerability record. Official CVE record: CVE-2025-24761.

Similar Attacks

File-inclusion and related web application flaws have a long history of being used to move from “reading files” to “running code,” particularly when attackers can pair them with some way to place a file on the server. Examples of high-impact, widely referenced incidents include:

CVE-2018-7600 (Drupalgeddon 2) — a critical web application flaw that enabled remote code execution at scale, demonstrating how quickly automated exploitation can spread once public.
CVE-2020-25213 (WordPress File Manager plugin) — a WordPress ecosystem incident used for mass compromise, illustrating the business impact of unauthenticated pathways to server-side code execution.