CVE-2025-53449 Overview
CVE-2025-53449 is a PHP Local File Inclusion (LFI) vulnerability in the Axiomthemes Convex WordPress theme. The flaw stems from improper control of filenames passed to PHP include or require statements [CWE-98]. Affected versions include all releases up to and including Convex 1.11. Unauthenticated attackers can leverage the issue over the network to include arbitrary local files, leading to code execution, sensitive data disclosure, and full site compromise. The vulnerability carries a CVSS 3.1 base score of 8.1, reflecting high impact to confidentiality, integrity, and availability despite higher attack complexity.
Critical Impact
Unauthenticated attackers can include arbitrary PHP files from the WordPress server, enabling remote code execution and full site takeover.
Affected Products
- Axiomthemes Convex WordPress theme — all versions up to and including 1.11
- WordPress installations running the Convex theme as the active or fallback theme
- Sites that allow the theme to process untrusted request parameters in include paths
Discovery Timeline
- 2025-12-18 - CVE-2025-53449 published to the National Vulnerability Database (NVD)
- 2026-01-20 - Last updated in NVD database
Technical Details for CVE-2025-53449
Vulnerability Analysis
The Convex theme processes user-controllable input and passes it to a PHP include or require statement without sufficient validation. An attacker supplies a crafted file path or filename through a request parameter that the theme uses to resolve a PHP file for inclusion. Because the input is not constrained to an allowlist or sanitized for traversal sequences, the PHP interpreter loads attacker-chosen files from the local filesystem.
When the included file contains PHP code, the interpreter executes it in the context of the web server user. This converts a file inclusion primitive into arbitrary code execution. Even when the included file is not PHP, the attacker can read configuration files such as wp-config.php, exposing database credentials and authentication keys.
Root Cause
The root cause is improper control of the filename argument supplied to a dynamic PHP include or require call [CWE-98]. The theme treats request-derived data as a trusted path component, omitting both canonicalization and allowlist enforcement. Path traversal sequences and absolute paths therefore reach the include resolver.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker issues an HTTP request to a Convex theme endpoint that consumes a filename parameter. The crafted value points to a local file the attacker wants the PHP runtime to load. Successful exploitation grants code execution under the web server account, with subsequent access to the database, session data, and uploaded content. Refer to the Patchstack WordPress Vulnerability advisory for additional technical context.
Detection Methods for CVE-2025-53449
Indicators of Compromise
- HTTP requests to Convex theme PHP files containing path traversal sequences such as ../ or encoded variants like %2e%2e%2f
- Web server access logs showing query parameters referencing system files like /etc/passwd, wp-config.php, or PHP wrappers like php://filter
- Unexpected PHP files appearing in the wp-content/uploads/ directory after suspicious theme requests
- Outbound connections from the PHP-FPM or web server process to unfamiliar hosts following theme requests
Detection Strategies
- Inspect WordPress access logs for requests targeting Convex theme files paired with file, page, template, or similar parameters carrying path-like values
- Deploy web application firewall (WAF) rules that block traversal patterns and PHP stream wrappers in query strings
- Monitor PHP error logs for include() and require() warnings referencing unexpected file paths
Monitoring Recommendations
- Alert on new or modified PHP files within the WordPress document root outside of scheduled maintenance windows
- Track child process creation from the web server user, especially sh, bash, curl, or wget invocations
- Correlate spikes in 200-OK responses to theme endpoints with subsequent administrator account changes
How to Mitigate CVE-2025-53449
Immediate Actions Required
- Deactivate the Convex theme on all WordPress sites until a vendor patch is verified and applied
- Switch the site to a maintained default theme such as a current Twenty* release to remove the vulnerable code path
- Rotate WordPress secret keys, database credentials, and administrator passwords if exploitation is suspected
- Review installed plugins and uploads for webshells or unauthorized PHP files
Patch Information
At the time of publication, no fixed version is listed for the Convex theme; all releases through 1.11 are affected. Monitor the Patchstack advisory for the Convex theme and the vendor's distribution channel for an updated release, and apply it as soon as it becomes available.
Workarounds
- Configure a WAF or Patchstack virtual patch to block traversal sequences and stream wrappers in requests to Convex theme files
- Restrict PHP open_basedir and disable_functions to limit the impact of arbitrary file inclusion
- Set allow_url_include to Off in php.ini to prevent escalation to remote file inclusion
# Configuration example: harden php.ini to limit file inclusion impact
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
