CVE-2025-53439 - Vulnerability Details

- WordPress Harper theme <= 1.13 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Harper harper allows PHP Local File Inclusion.This issue affects Harper: from n/a through <= 1.13.

Published: 2025-12-18

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Harper theme for WordPress contains a flaw in the handling of filenames supplied to PHP include or require calls. By providing an arbitrary local filename, an attacker can cause the theme to include that file without sufficient validation. This local file inclusion can expose sensitive server files and, if the injected file contains executable PHP code, may lead to code execution. The vulnerability is identified as CWE-98 and exists in all releases of Harper up to version 1.13.

Affected Systems

Any WordPress site running the axiomthemes Harper theme at version 1.13 or earlier is affected. The flaw is independent of specific WordPress core releases and impacts all installations where the theme is active.

Risk and Exploitability

The CVSS score of 8.1 marks the flaw as high severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, so no confirmed exploits are known. Based on the description, it is inferred that an attacker could target sites by manipulating the filename parameter used by the Harper theme, for example through crafted URLs or user input, and achieve local file inclusion that might lead to code execution if a PHP file is included.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

axiomthemes

Harper

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.13

Configuration 1 [-]

cpe:2.3:a:axiomthemes:harper:*:*:*:*:*:wordpress:*:*

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Harper theme to a version newer than 1.13, which removes the insecure include logic.
If an update is not available immediately, configure PHP to disable user-defined includes: set allow_url_include to off and enable open_basedir to restrict file access, and enforce directory traversal protections via server configuration.
Implement application‑level input validation for any parameters that influence file inclusion, ensuring only expected filenames or path segments are processed.

Generated by OpenCVE AI on April 29, 2026 at 18:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00104.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/harper/vulnerability/wordpress-harper-theme-1-13-local-file-inclusion-vulnerability?_s_id=cve

History

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Theme/harper/vulnerability/wordpress-harper-theme-1-13-local-file-inclusion-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/Wordpress/Theme/harper/vulnerability/wordpress-harper-theme-1-13-local-file-inclusion-vulnerability?_s_id=cve

Tue, 06 Jan 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Axiomthemes Axiomthemes harper
CPEs		cpe:2.3:a:axiomthemes:harper::::::wordpress::*
Vendors & Products		Axiomthemes Axiomthemes harper

Fri, 19 Dec 2025 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Thu, 18 Dec 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 18 Dec 2025 07:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Harper harper allows PHP Local File Inclusion.This issue affects Harper: from n/a through <= 1.13.
Title		WordPress Harper theme <= 1.13 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://vdp.patchstack.com/database/Wordpress/Theme/harper/vulnerability/wordpress-harper-theme-1-13-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Axiomthemes Harper

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-12-18T07:21:47.455Z

Updated: 2026-04-28T19:16:02.342Z

Reserved: 2025-06-30T10:46:13.038Z

Link: CVE-2025-53439

Vulnrichment

Updated: 2025-12-18T19:21:51.688Z

NVD

Status : Modified

Published: 2025-12-18T08:15:54.380

Modified: 2026-01-20T15:16:57.043

Link: CVE-2025-53439

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T19:00:06Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object