CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49508 – WordPress CozyStay < 1.7.1 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-49508
11 Jun 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay allows PHP Local File Inclusion. This issue affects CozyStay: from n/a through n/a. The CozyStay theme for WordPress is vulnerable to Local File Inclusion in versions up to 1.7.1. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass acc... • https://patchstack.com/database/wordpress/theme/cozystay/vulnerability/wordpress-cozystay-1-7-1-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49507 – WordPress CozyStay < 1.7.1 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-49507
09 Jun 2025 — Deserialization of Untrusted Data vulnerability in LoftOcean CozyStay allows Object Injection.This issue affects CozyStay: from n/a before 1.7.1. The CozyStay theme for WordPress is vulnerable to PHP Object Injection in versions up to 1.7.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it c... • https://patchstack.com/database/wordpress/theme/cozystay/vulnerability/wordpress-cozystay-1-7-1-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •