CVE-2025-53441

High

Published: 18 December 2025

Published

18 December 2025

Modified

20 January 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Greeny greeny allows PHP Local File Inclusion.This issue affects Greeny: from n/a through <= 2.6.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Enforces validation of user-supplied filenames prior to use in PHP include/require statements, directly preventing local file inclusion exploits.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and timely patching of flaws like the improper filename control in the Greeny theme, eliminating the vulnerability.

CM-6 Configuration Settings good match

prevent

Establishes secure PHP configuration settings such as open_basedir restrictions to limit filesystem access and mitigate local file inclusion attempts.

Security SummaryAI

CVE-2025-53441 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, affecting the Greeny WordPress theme developed by axiomthemes. The issue impacts all versions of Greeny up to and including 2.6, with no lower bound specified. It has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-98.

A remote unauthenticated attacker (PR:N) can exploit this vulnerability over the network (AV:N) without user interaction (UI:N), though it requires high attack complexity (AC:H). Successful exploitation leads to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary file inclusion and execution of local files, which could result in server compromise depending on the targeted files and server configuration.

Patchstack has documented this vulnerability in their database for the Greeny WordPress theme version 2.6, providing details on the local file inclusion issue at https://patchstack.com/database/Wordpress/Theme/greeny/vulnerability/wordpress-greeny-theme-2-6-local-file-inclusion-vulnerability?_s_id=cve. Security practitioners should consult this advisory for patch availability and mitigation guidance.

Details

CWE(s): CWE-98

Affected Products

axiomthemes

greeny

≤ 2.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a local file inclusion (LFI) flaw in a public-facing WordPress theme, allowing remote unauthenticated attackers to include and potentially execute arbitrary local files, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/greeny/vulnerability/wordpress-greeny-theme-2-6-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com