CVE-2025-53429

High

Published: 18 December 2025

Published

18 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Exit Game exit-game allows PHP Local File Inclusion.This issue affects Exit Game: from n/a through <= 1.4.3.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validating filename inputs to PHP include/require statements to block path traversal and prevent local file inclusion exploitation.

SI-9 Information Input Restrictions good match

prevent

Enforces input restrictions at web boundaries to block malicious filename patterns like '../' sequences used in this LFI vulnerability.

SI-2 Flaw Remediation good match

prevent

Ensures timely patching of the specific flaw in Exit Game WordPress theme versions through 1.4.3 to eliminate the improper filename control.

Security SummaryAI

CVE-2025-53429 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, described as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98), in the Exit Game WordPress theme developed by AncoraThemes. The issue affects Exit Game versions from an unspecified initial release through 1.4.3. It carries a CVSS v3.1 base score of 8.1 (High), reflecting network accessibility, high attack complexity, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network by manipulating filename controls in PHP include/require statements, leading to local file inclusion. With high attack complexity, exploitation enables severe outcomes including high-level unauthorized access to sensitive data (C:H), modification of system files or behavior (I:H), and disruption of services (A:H), potentially escalating to remote code execution depending on includable files.

Patchstack provides details on this vulnerability, including affected versions and remediation guidance, in their advisory at https://patchstack.com/database/Wordpress/Theme/exit-game/vulnerability/wordpress-exit-game-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve.

Details

CWE(s): CWE-98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a file inclusion flaw in a public-facing WordPress theme, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/exit-game/vulnerability/wordpress-exit-game-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com