Academist Theme CVE-2025-62055
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Academist academist.This issue affects Academist: from n/a through < 1.3.
AnalysisAI
Local file inclusion in WordPress Academist theme versions prior to 1.3 enables remote attackers to include arbitrary PHP files from the server filesystem, leading to potential information disclosure, code execution, and full site compromise. The vulnerability stems from improper filename validation in PHP include/require statements. Despite a CVSS score of 8.1, the EPSS probability is only 0.05% (16th percentile), suggesting attackers have not widely adopted this technique, though the attack complexity is rated high. No confirmed active exploitation or public exploit code identified at time of analysis.
Technical ContextAI
This vulnerability is a PHP Remote File Inclusion (RFI) classified as CWE-98, affecting the Academist WordPress theme by Elated-Themes. The flaw occurs when user-controlled input is passed to PHP include() or require() functions without proper sanitization, allowing attackers to manipulate file paths. While tagged as RFI and categorized under CWE-98, the Patchstack reference and LFI tag suggest this is actually a Local File Inclusion vulnerability, where attackers can include existing files on the server rather than remote URLs. The discrepancy between the CWE-98 classification (which typically covers RFI) and the LFI tag indicates the vulnerability likely allows traversal to local files but may have been classified under the broader CWE category. WordPress themes commonly expose this vulnerability through improperly validated template file parameters or AJAX handlers that accept file paths.
Affected ProductsAI
WordPress Academist theme by Elated-Themes, all versions prior to version 1.3. The vulnerability report from Patchstack (audit@patchstack.com) specifically identifies the theme slug as 'academist' in WordPress installations. No CPE string was provided in the available data, limiting precise asset inventory queries. Organizations can identify affected installations by checking their WordPress theme directory for the Academist theme and verifying the version number is below 1.3. The vendor advisory is available at https://patchstack.com/database/Wordpress/Theme/academist/vulnerability/wordpress-academist-theme-1-3-local-file-inclusion-vulnerability.
RemediationAI
Update the Academist WordPress theme to version 1.3 or later, which addresses the file inclusion vulnerability according to Patchstack's database entry (https://patchstack.com/database/Wordpress/Theme/academist/vulnerability/wordpress-academist-theme-1-3-local-file-inclusion-vulnerability). WordPress administrators should navigate to Appearance > Themes in the WordPress admin panel and apply available updates. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: disable the Academist theme and switch to a core WordPress theme (Twenty Twenty-Four or similar) until patching is complete, which may affect site appearance and require temporary redesign; configure web application firewall rules to block requests containing directory traversal patterns (../, .\, %2e%2e) to theme files, though this may cause false positives with legitimate file upload functionality; restrict PHP file execution in the wp-content/themes/academist/ directory via .htaccess rules (Apache) or location blocks (nginx), which prevents exploitation but may break intended theme functionality if the theme legitimately executes PHP in subdirectories. Verify remediation by testing that user-supplied parameters cannot influence file paths in theme includes.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-98 – PHP Remote File Inclusion
View allShare
External POC / Exploit Code
Leaving vuln.today