CVE-2025-49365
Published: 18 December 2025
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Jack Well jack-well allows PHP Local File Inclusion.This issue affects Jack Well: from n/a through <= 1.0.14.
Mitigating Controls (NIST 800-53 r5)AI
Remediating the specific improper filename control flaw in the Jack Well WordPress theme directly prevents PHP Local File Inclusion exploitation.
Validating user-supplied inputs for filenames in PHP include/require statements prevents attackers from specifying arbitrary local files.
Enforcing least privilege on the web server process limits the damage from successful LFI by restricting access to sensitive local files.
Security SummaryAI
CVE-2025-49365 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, referred to as PHP Remote File Inclusion, in the AncoraThemes Jack Well (jack-well) WordPress theme. It enables PHP Local File Inclusion and affects versions from n/a through 1.0.14.
Unauthenticated remote attackers can exploit this vulnerability over the network (AV:N) with high attack complexity (AC:H), no privileges required (PR:N), and no user interaction (UI:N). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), with an unchanged scope (S:U), as reflected in its CVSS 3.1 base score of 8.1.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/jack-well/vulnerability/wordpress-jack-well-theme-1-0-14-local-file-inclusion-vulnerability?_s_id=cve details this Local File Inclusion vulnerability in the Jack Well WordPress theme version 1.0.14.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a file inclusion vulnerability in a public-facing WordPress theme directly maps to T1190: Exploit Public-Facing Application.