Cyber Resilience

CVE-2025-49371

High

Published: 18 December 2025

Published
18 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 35.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49371 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-49371 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, referred to as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the AncoraThemes Strux WordPress theme. This issue affects Strux versions from n/a through 1.9. It has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-98.

A network-based attacker requires no privileges or user interaction but must overcome high attack complexity to exploit the vulnerability remotely. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing local file inclusion on the targeted system.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/strux/vulnerability/wordpress-strux-theme-1-9-local-file-inclusion-vulnerability?_s_id=cve documents this local file inclusion vulnerability in the WordPress Strux theme version 1.9.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Strux strux allows PHP Local File Inclusion.This issue affects Strux: from n/a through <= 1.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

CVE-2025-49371 is a remote/local file inclusion vulnerability in a public-facing WordPress theme, directly enabling exploitation of public-facing applications (T1190) and facilitating file and directory discovery via arbitrary file reads (T1083).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28069Shared CWE-98
CVE-2025-53442Shared CWE-98
CVE-2025-60055Shared CWE-98
CVE-2025-60050Shared CWE-98
CVE-2026-28058Shared CWE-98
CVE-2025-22364Shared CWE-98
CVE-2026-22380Shared CWE-98
CVE-2025-58896Shared CWE-98
CVE-2025-58927Shared CWE-98
CVE-2025-69398Shared CWE-98

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific PHP LFI flaw in the Strux WordPress theme to eliminate the improper filename control vulnerability.

prevent

Mandates validation of untrusted filename inputs to PHP include/require statements, directly preventing exploitation of CWE-98 improper control.

prevent

Enforces restrictive PHP configuration settings like open_basedir to limit file access paths even if LFI is attempted.

References