CVE-2025-53449 - Vulnerability Details

- WordPress Convex theme <= 1.11 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Convex convex allows PHP Local File Inclusion.This issue affects Convex: from n/a through <= 1.11.

Published: 2025-12-18

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This CVE documents an improper control of filenames used in PHP include/require statements within the Axiom Themes Convex WordPress theme. The flaw allows an attacker to supply a path that the theme will attempt to include, potentially enabling them to read arbitrary local files. Based on the description, it is inferred that the attacker could provide a path that traverses directories and includes a PHP file, which could lead to remote code execution or disclosure of sensitive information.

Affected Systems

The Convex theme is affected from the earliest available version through 1.11; any WordPress site running Convex 1.11 or earlier is vulnerable. The vendor is Axiom Themes, and the product is the Convex WordPress theme.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity for this file-inclusion issue. The EPSS score of less than 1% suggests that exploitation is currently rare, but the flaw remains a serious risk for sites that have not applied the patch. The vulnerability is not listed in the CISA KEV catalog, implying no widespread exploitation has been reported yet. The likely attack vector is a web request that includes a crafted filename parameter used by the theme to include a file; exploitation requires the attacker to supply a local path or a writable location where they can place a malicious file.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

axiomthemes

Convex

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.11

Configuration 1 [-]

cpe:2.3:a:axiomthemes:convex:*:*:*:*:*:wordpress:*:*

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Convex theme to version 1.12 or later, which resolves the local file inclusion flaw.
If an upgrade cannot be performed immediately, remove or hard‑code any user‑controlled parameters used in include or require calls within the theme to prevent arbitrary file inclusion.
Implement input validation or a whitelist that rejects any filename containing directory traversal patterns such as "..".

Generated by OpenCVE AI on April 29, 2026 at 18:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00104.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/convex/vulnerability/wordpress-convex-theme-1-11-local-file-inclusion-vulnerability?_s_id=cve

History

Wed, 21 Jan 2026 12:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Theme/convex/vulnerability/wordpress-convex-theme-1-11-local-file-inclusion-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/Wordpress/Theme/convex/vulnerability/wordpress-convex-theme-1-11-local-file-inclusion-vulnerability?_s_id=cve

Mon, 05 Jan 2026 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Axiomthemes Axiomthemes convex
CPEs		cpe:2.3:a:axiomthemes:convex::::::wordpress::*
Vendors & Products		Axiomthemes Axiomthemes convex

Fri, 19 Dec 2025 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Thu, 18 Dec 2025 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 18 Dec 2025 07:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Convex convex allows PHP Local File Inclusion.This issue affects Convex: from n/a through <= 1.11.
Title		WordPress Convex theme <= 1.11 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://vdp.patchstack.com/database/Wordpress/Theme/convex/vulnerability/wordpress-convex-theme-1-11-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Axiomthemes Convex

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-12-18T07:21:48.947Z

Updated: 2026-04-28T19:17:23.429Z

Reserved: 2025-06-30T10:46:21.829Z

Link: CVE-2025-53449

Vulnrichment

Updated: 2025-12-18T19:01:19.947Z

NVD

Status : Modified

Published: 2025-12-18T08:15:55.403

Modified: 2026-01-20T15:16:58.197

Link: CVE-2025-53449

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T19:00:06Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object