CVE-2025-53216
Published: 28 August 2025
Summary
CVE-2025-53216 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-53216 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified under CWE-98, that enables PHP Local File Inclusion in the Glamer WordPress theme developed by themeuniver. The issue affects Glamer versions from n/a through 1.0.2. Published on 2025-08-28, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote unauthenticated attackers (PR:N) can exploit this vulnerability over the network (AV:N) with high attack complexity (AC:H) and without requiring user interaction (UI:N). Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability (C:H/I:H/A:H), typically enabling attackers to include and execute arbitrary local PHP files on the server.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/glamer/vulnerability/wordpress-glamer-theme-1-0-2-local-file-inclusion-vulnerability?_s_id=cve provides further details on this Local File Inclusion vulnerability in the Glamer WordPress theme version 1.0.2.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26004
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themeuniver Glamer glamer allows PHP Local File Inclusion.This issue affects Glamer: from n/a through <= 1.0.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct LFI vulnerability in public-facing WordPress theme enables remote exploitation of the web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Implements input validation mechanisms for filenames used in PHP include/require statements, directly preventing local file inclusion by ensuring only authorized files are processed.
Requires identification, reporting, and timely remediation of flaws like the improper filename control in Glamer theme versions up to 1.0.2.
Monitors and scans for vulnerabilities such as CVE-2025-53216 in WordPress themes, enabling detection and patching before exploitation.