How to fix CVE-2025-49295?

Within 24 hours: Identify all systems running MediClinic theme versions through 2.1 and assess exposure in production environments. Within 7 days: Implement Web Application Firewall (WAF) rules to block path traversal patterns and restrict access to MediClinic installations to trusted networks only. Within 30 days: Contact Mikado-Themes for patch availability; if no patch is released, evaluate theme replacement or upgrade to an alternative security-hardened solution.

Is PHP affected by CVE-2025-49295?

A path traversal vulnerability in MediClinic theme versions through 2.1 enables attackers to read sensitive files from affected web servers, potentially exposing patient data, credentials, and system configurations.

CVE-2025-49295

EUVD-2025-17549 CRITICAL

2025-06-09 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:21 euvd

EUVD-2025-17549

Analysis Generated

Mar 14, 2026 - 19:21 vuln.today

CVE Published

Jun 09, 2025 - 16:15 nvd

CRITICAL 9.8

Description

Path Traversal vulnerability in Mikado-Themes MediClinic allows PHP Local File Inclusion. This issue affects MediClinic: from n/a through 2.1.

Analysis

A Path Traversal vulnerability in Mikado-Themes MediClinic through version 2.1 enables unauthenticated remote attackers to conduct PHP Local File Inclusion (LFI) attacks, potentially allowing arbitrary file reading and code execution. The CVSS 8.1 score reflects high impact across confidentiality, integrity, and availability, though attack complexity is listed as HIGH. No public confirmation of active KEV exploitation or PoC availability is documented in standard feeds, but the high CVSS and LFI vector suggest this should be treated as a credible priority vulnerability.

Technical Context

The vulnerability stems from improper input validation in MediClinic's PHP file handling, classified under CWE-35 (Path Traversal), which enables attackers to manipulate file paths using directory traversal sequences (e.g., '../') or absolute paths to access files outside intended directories. MediClinic is a WordPress theme distributed by Mikado-Themes. The affected versions range from an unspecified baseline through version 2.1. The LFI vector is particularly dangerous in PHP environments as it can lead to Remote Code Execution (RCE) through log poisoning, session file manipulation, or inclusion of user-controllable data streams. The CPE for this product would be vendor:mikado-themes:mediClinic, with affected versions 2.1 and below.

Affected Products

MediClinic (≤ 2.1)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +49

POC: 0

CVE-2025-49295 vulnerability details – vuln.today

Back

CVE-2025-49295

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-49295

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code