CVE-2025-58954 ThemeREX CVE debrief

Who should care

Administrators and security teams responsible for managing WordPress installations with the HomeRoofer theme, version 2.11.0 or earlier, should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

CVE-2025-58954 is an unauthenticated local file inclusion vulnerability in the HomeRoofer theme, version 2.11.0 or earlier. The vulnerability has a CVSS score of 8.1 and a CVSS vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This vulnerability is classified under CWE-98. The vulnerability was reported by [email protected] and is related to the HomeRoofer theme.

Defensive priority

High

Recommended defensive actions

• Update the HomeRoofer theme to a version that is not vulnerable.
• Restrict access to sensitive files on the server.
• Implement additional security measures to prevent local file inclusion attacks.
• Monitor server logs for suspicious activity.
• Consider using a web application firewall to detect and prevent attacks.
• Keep software and plugins up-to-date.
• Perform regular security audits and vulnerability assessments.

Evidence notes

The information provided is based on data from the CVE.org and NVD databases. The CVE record and NVD detail provide further information on this vulnerability. The vulnerability was reported by [email protected].

Official resources