CVE-2025-58879 - Vulnerability Details

- WordPress Festy theme <= 1.13.0 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Festy festy allows PHP Local File Inclusion.This issue affects Festy: from n/a through <= 1.13.0.

Published: 2025-12-18

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability arises from improper validation of filenames used in PHP include/require statements within the AncoraThemes Festy theme. The flaw allows an attacker to specify an arbitrary local file path, causing the server to read or execute that file. As a result, sensitive configuration files, credentials, or other protected content may be exposed, and in more advanced scenarios, arbitrary PHP code could be executed, leading to full site compromise.

Affected Systems

The affected product is the AncoraThemes Festy WordPress theme. All releases from the initial release up through version 1.13.0 are impacted. Any site using this theme within that version range is vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score of less than 1% suggests that exploitation is unlikely but not impossible. The vulnerability is not currently in the CISA KEV catalog. Based on the description, the likely attack vector is through a web request transmitted over the network, with an attacker supplying a crafted file path to the include/require functionality. Successful exploitation requires the attacker to identify a PHP endpoint that processes user input for file inclusion.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AncoraThemes

Festy

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.13.0

Configuration 1 [-]

cpe:2.3:a:ancorathemes:festy:*:*:*:*:*:wordpress:*:*

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Festy theme to version 1.13.1 or later, removing the vulnerable code.
If an upgrade is not possible, disable or delete the Festy theme to eliminate the vulnerability.
Configure the web server or application to disallow directory traversal characters in file inclusion arguments, restricting include paths to safe directories.

Generated by OpenCVE AI on April 29, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0011.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/festy/vulnerability/wordpress-festy-theme-1-13-0-local-file-inclusion-vulnerability?_s_id=cve

History

Mon, 27 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}`	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Theme/festy/vulnerability/wordpress-festy-theme-1-13-0-local-file-inclusion-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/Wordpress/Theme/festy/vulnerability/wordpress-festy-theme-1-13-0-local-file-inclusion-vulnerability?_s_id=cve

Fri, 16 Jan 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ancorathemes Ancorathemes festy
CPEs		cpe:2.3:a:ancorathemes:festy::::::wordpress::*
Vendors & Products		Ancorathemes Ancorathemes festy

Fri, 19 Dec 2025 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Thu, 18 Dec 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 18 Dec 2025 07:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Festy festy allows PHP Local File Inclusion.This issue affects Festy: from n/a through <= 1.13.0.
Title		WordPress Festy theme <= 1.13.0 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://vdp.patchstack.com/database/Wordpress/Theme/festy/vulnerability/wordpress-festy-theme-1-13-0-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Ancorathemes Festy

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-12-18T07:21:52.239Z

Updated: 2026-04-28T16:13:49.047Z

Reserved: 2025-09-05T10:50:17.983Z

Link: CVE-2025-58879

Vulnrichment

Updated: 2025-12-18T18:12:24.353Z

NVD

Status : Modified

Published: 2025-12-18T08:15:57.650

Modified: 2026-04-27T19:16:15.370

Link: CVE-2025-58879

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T22:45:06Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object