CVE-2025-53429
Published: 18 December 2025
Summary
CVE-2025-53429 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-53429 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, described as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98), in the Exit Game WordPress theme developed by AncoraThemes. The issue affects Exit Game versions from an unspecified initial release through 1.4.3. It carries a CVSS v3.1 base score of 8.1 (High), reflecting network accessibility, high attack complexity, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network by manipulating filename controls in PHP include/require statements, leading to local file inclusion. With high attack complexity, exploitation enables severe outcomes including high-level unauthorized access to sensitive data (C:H), modification of system files or behavior (I:H), and disruption of services (A:H), potentially escalating to remote code execution depending on includable files.
Patchstack provides details on this vulnerability, including affected versions and remediation guidance, in their advisory at https://patchstack.com/database/Wordpress/Theme/exit-game/vulnerability/wordpress-exit-game-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-204221
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Exit Game exit-game allows PHP Local File Inclusion.This issue affects Exit Game: from n/a through <= 1.4.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a file inclusion flaw in a public-facing WordPress theme, directly enabling exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validating filename inputs to PHP include/require statements to block path traversal and prevent local file inclusion exploitation.
Enforces input restrictions at web boundaries to block malicious filename patterns like '../' sequences used in this LFI vulnerability.
Ensures timely patching of the specific flaw in Exit Game WordPress theme versions through 1.4.3 to eliminate the improper filename control.