Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes EasyEat easyeat allows PHP Local File Inclusion.This issue affects EasyEat: from n/a through <= 1.9.0.
Published: 2025-12-18
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper control over the filename used in PHP include or require statements, allowing an attacker to manipulate the path and load arbitrary files. A successful exploitation could enable local file inclusion, passing sensitive data to the attacker, or could potentially trigger remote file inclusion if the server’s remote file inclusion setting is enabled. The impact includes potential disclosure of system files, credential compromise, or execution of malicious code, severely affecting confidentiality, integrity, and availability of the website.

Affected Systems

The problem exists in the AncoraThemes EasyEat WordPress theme, affecting all releases up through version 1.9.0. No specific sub‑version details are supplied, so any installation of EasyEat 1.9.0 or earlier is susceptible.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating a critical security flaw. The EPSS score of less than 1% suggests that, so far, exploit attempts have been minimal or not widely observed, and the vulnerability is not listed in CISA’s KEV catalog. However, given the high severity and the nature of file inclusion weaknesses, the risk remains significant. The likely attack vector is through user-controlled parameters in the URL or form inputs that influence the include path; this inference is drawn from the description of filename control issues in PHP.

Generated by OpenCVE AI on April 29, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AncoraThemes EasyEat to any release newer than 1.9.0
  • If an upgrade is not immediately feasible, deactivate the EasyEat theme and switch to a default or trusted alternative theme
  • Configure your web server to disallow external includes and to set include_path to a safe, restricted directory

Generated by OpenCVE AI on April 29, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes EasyEat easyeat allows PHP Local File Inclusion.This issue affects EasyEat: from n/a through <= 1.9.0.
Title WordPress EasyEat theme <= 1.9.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:15:03.902Z

Reserved: 2025-06-30T10:46:13.038Z

Link: CVE-2025-53433

cve-icon Vulnrichment

Updated: 2025-12-18T19:18:16.265Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:15:53.563

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-53433

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:30:12Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')