Attack Vectors

The Oxpitan – Nonprofit Charity WordPress Theme (slug: oxpitan) is affected by a Critical vulnerability (CVSS 9.8) that can be exploited without authentication in versions up to and including 1.3.5.

This issue is a Local File Inclusion (LFI), which means an external attacker can attempt to force the website to load server-side files that were never meant to be publicly accessible. Depending on what files are reachable, this can lead to sensitive data exposure or even code execution.

Reference: CVE-2025-32294 (CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Source: Wordfence advisory.

Security Weakness

The underlying weakness is that the theme can be tricked into including files from the server in a way that is not properly restricted. Because the vulnerability is unauthenticated, an attacker does not need a user account to attempt exploitation.

Wordfence notes that this can allow attackers to include and execute arbitrary files on the server, enabling execution of any PHP code in those files. In practical business terms, this means a public-facing marketing or donation site could become an entry point for broader compromise of your web presence.

Remediation: Update Oxpitan to version 1.3.6 or a newer patched version.

Technical or Business Impacts

Because this is rated Critical (CVSS 9.8) and is exploitable over the network with no login required, the potential impacts are severe and can escalate quickly from a website issue to a business incident.

Potential outcomes include: exposure of sensitive data (configuration details, operational information, or other files the server can access), bypass of access controls, website defacement, malware injection, and potential full site takeover if code execution is achieved. For marketing and executive leadership, this can translate into reputational damage, campaign disruption, lost donations or lead flow, increased ad waste due to site downtime, and regulatory/compliance reporting obligations depending on what data is exposed.

Similar attacks (real examples): File inclusion and path traversal issues have been used in high-profile incidents, such as Apache HTTP Server path traversal (CVE-2021-41773), Citrix ADC directory traversal (CVE-2019-19781), and Fortinet FortiOS path traversal (CVE-2018-13379). These incidents illustrate how “read files” weaknesses can quickly become breach-and-control events.

If your organization uses Oxpitan, prioritize updating to 1.3.6+, confirm the active theme version across all environments (production, staging, microsites), and coordinate internal stakeholders (Marketing, IT, Compliance) to document remediation and monitor for signs of compromise.