Cyber Resilience

CVE-2025-49942

High

Published: 18 December 2025

Published
18 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0042 32.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49942 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-49942 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion, within the AncoraThemes Gardis WordPress theme. The flaw enables PHP Local File Inclusion and affects all versions of Gardis from n/a through 1.2.13. It is associated with CWE-98 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility and significant impacts on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely over the network with high attack complexity, requiring no user privileges or interaction. Successful exploitation allows arbitrary local file inclusion via manipulated PHP include/require statements, potentially leading to high-impact outcomes such as unauthorized access to sensitive files, code execution, data modification, or denial of service.

The Patchstack advisory provides details on this WordPress Gardis theme vulnerability, accessible at https://patchstack.com/database/Wordpress/Theme/gardis/vulnerability/wordpress-gardis-theme-1-2-13-local-file-inclusion-vulnerability?_s_id=cve, which likely includes mitigation guidance such as updating to a patched version beyond 1.2.13.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Gardis gardis allows PHP Local File Inclusion.This issue affects Gardis: from n/a through <= 1.2.13.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote/local file inclusion (RFI/LFI) in a public-facing WordPress theme, directly enabling exploitation of public-facing applications for initial access, sensitive file disclosure, or arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-60043Shared CWE-98
CVE-2026-22414Shared CWE-98
CVE-2025-69396Shared CWE-98
CVE-2026-22372Shared CWE-98
CVE-2025-67523Shared CWE-98
CVE-2025-53434Shared CWE-98
CVE-2026-27342Shared CWE-98
CVE-2026-22496Shared CWE-98
CVE-2025-49426Shared CWE-98
CVE-2025-49369Shared CWE-98

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by identifying, reporting, and applying the patch to fix the improper filename control in the Gardis theme's PHP include/require statements.

prevent

Requires validation of filename inputs to PHP include/require functions, preventing arbitrary local file inclusion by unauthenticated attackers.

prevent

Enforces secure PHP configuration settings like open_basedir to restrict file access paths, limiting the impact of flawed include statements.

References