CVE-2025-53252

CVE-2025-53252 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Zegen WordPress theme developed by zozothemes. This issue affects Zegen versions from n/a through 1.1.9.

The vulnerability carries a CVSS v3.1 base score of 7.5 (High), with an attack vector of Network (AV:N), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H). It is associated with CWE-98. Attackers with low privileges, such as authenticated users, can exploit it over the network with high complexity to achieve local file inclusion, potentially leading to unauthorized file access, modification, or execution depending on server configuration.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/zegen/vulnerability/wordpress-zegen-theme-1-1-9-local-file-inclusion-vulnerability?_s_id=cve. The vulnerability was published on 2025-11-06T16:15:56.010.