CVE-2025-49371
Published: 18 December 2025
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Strux strux allows PHP Local File Inclusion.This issue affects Strux: from n/a through <= 1.9.
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific PHP LFI flaw in the Strux WordPress theme to eliminate the improper filename control vulnerability.
Mandates validation of untrusted filename inputs to PHP include/require statements, directly preventing exploitation of CWE-98 improper control.
Enforces restrictive PHP configuration settings like open_basedir to limit file access paths even if LFI is attempted.
Security SummaryAI
CVE-2025-49371 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, referred to as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the AncoraThemes Strux WordPress theme. This issue affects Strux versions from n/a through 1.9. It has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-98.
A network-based attacker requires no privileges or user interaction but must overcome high attack complexity to exploit the vulnerability remotely. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing local file inclusion on the targeted system.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/strux/vulnerability/wordpress-strux-theme-1-9-local-file-inclusion-vulnerability?_s_id=cve documents this local file inclusion vulnerability in the WordPress Strux theme version 1.9.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-49371 is a remote/local file inclusion vulnerability in a public-facing WordPress theme, directly enabling exploitation of public-facing applications (T1190) and facilitating file and directory discovery via arbitrary file reads (T1083).