Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable, unauthenticated LFI (AV:N/PR:N/UI:N) with AC:H for the required inclusion conditions; C:H for file disclosure, but I/A rated Low since code execution depends on unconfirmed server conditions.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Local File Inclusion in Lighthouse <= 1.2.12 versions.
AnalysisAI
Unauthenticated Local File Inclusion in the AncoraThemes 'Lighthouse' WordPress theme (versions 1.2.12 and earlier, classified under CWE-98) lets remote attackers with no credentials coerce the theme's PHP include/require logic into loading attacker-influenced file paths. Because CWE-98 covers PHP remote/local file inclusion, a successful attack can disclose sensitive server files (wp-config.php, credentials) and, depending on server configuration, escalate to code execution, which is why NVD scores full C/I/A impact. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Technical ContextAI
The affected component is a WordPress theme distributed by the vendor AncoraThemes (CPE cpe:2.3:a:ancorathemes:lighthouse), marketed as a school/education theme ('lighthouseschool'). The root cause is CWE-98, Improper Control of Filename for Include/Require Statement in a PHP Program (PHP Remote/Local File Inclusion): the theme passes externally controllable input into a PHP include(), require(), or template-loading call without adequate sanitization or allow-listing. In WordPress themes this pattern typically appears in AJAX handlers, template loaders, or query-parameter-driven page renderers that build a filesystem path from user input, allowing directory traversal (../) or php:// / data:// wrapper abuse to reference unintended files.
RemediationAI
Update the Lighthouse theme to the first release published after 1.2.12; however, no vendor-released patched version is identified in the available data, so operators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/theme/lighthouseschool/vulnerability/wordpress-lighthouse-theme-1-2-12-local-file-inclusion-vulnerability) and the AncoraThemes/ThemeForest changelog for the exact fixed build before upgrading. As compensating controls until a fix is confirmed: deploy a WAF or Patchstack virtual patch to block directory-traversal and PHP-wrapper patterns (../, php://, data://) on the theme's request parameters; harden PHP by setting allow_url_include=Off and open_basedir to restrict includable paths (side effect: may break plugins that legitimately load external paths); and restrict or disable the specific theme endpoint/AJAX action performing the include if it is non-essential (trade-off: loss of the associated theme feature). Deny web access to sensitive files such as wp-config.php at the server layer as defense against disclosure.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-98 – PHP Remote File Inclusion
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210398
GHSA-53r2-f5ph-rxfm