Attack Vectors

Oxpitan (the “Oxpitan – Nonprofit Charity WordPress Theme,” slug: oxpitan) versions up to and including 1.3.1 are affected by a Critical Local File Inclusion (LFI) vulnerability (CVE-2025-32294, CVSS 9.8). Because this issue is unauthenticated, an attacker does not need a username or password to attempt exploitation over the internet.

In practical terms, Local File Inclusion can allow a remote attacker to force a vulnerable site to load files from the server that were never meant to be publicly accessible. Depending on the site’s configuration and what files exist on the server, this can enable exposure of sensitive information, bypass of intended access controls, or—if attacker-controlled files can be placed on the server—execution of harmful PHP code.

Security Weakness

The core weakness is unsafe handling of file paths within the theme, allowing an attacker to influence which local file gets included by WordPress/PHP. When input is not properly restricted to a safe, pre-defined set of files, it can be abused to reach files outside the intended directory and include them during page processing.

For business leaders, the key point is that this is not a “login-required” problem. Combined with common website features—such as media uploads and plugins that store files on disk—LFI can become a stepping stone toward broader compromise. Wordfence reports that in certain conditions even files that appear “safe” (like images) may be leveraged if they can be uploaded and then included.

Technical or Business Impacts

Confidentiality risk: Exposure of sensitive data stored on the server (configuration details, paths, logs, or other information that supports further attacks), potentially impacting customer trust and compliance obligations.

Integrity risk: If exploitation results in code execution, attackers may be able to change website content, inject malicious scripts, modify donation or contact workflows, and undermine brand credibility—especially damaging for public-facing nonprofit and charity sites using Oxpitan.

Availability risk: A successful compromise can lead to website disruption, defacement, or ransomware-like outcomes. For marketing and operations teams, this can translate into downtime during campaigns, lost donations/leads, and incident-driven pauses to digital initiatives.

Governance and compliance risk: A Critical severity issue with unauthenticated reach increases the likelihood of a reportable security incident depending on what data is accessible. It also raises questions about vendor support and acceptable risk, particularly because there is currently no known patch available.

Recommended action: Since no known patch is available, organizations should evaluate mitigations aligned to risk tolerance, and strongly consider uninstalling Oxpitan <= 1.3.1 and replacing it with a supported alternative. Review the CVE record (CVE-2025-32294) and the vendor intelligence source (Wordfence advisory) to guide remediation decisions and internal risk communication.

Similar Attacks

Local File Inclusion and related file-inclusion weaknesses have been repeatedly used in real-world compromises because they can expose sensitive server-side data and, in some scenarios, lead to remote code execution. Examples include:

CVE-2018-16509 (NVD) — A WordPress plugin file inclusion issue that could enable attackers to include arbitrary files.

CVE-2019-9978 (NVD) — A WordPress-related issue that could be leveraged for serious impact, illustrating how quickly web application flaws can become business threats when exploitation is remote.