CVE-2025-49364 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-49364?

CVE-2025-49364 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Ludos Paradise theme version 2.1.3 and earlier, potentially leading to sensitive file disclosure or code execution.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Ludos Paradise theme version 2.1.3 and earlier, potentially leading to sensitive file disclosure or code execution.

💻 Affected Systems

Products:

AncoraThemes Ludos Paradise WordPress Theme

Versions: All versions up to and including 2.1.3

Operating Systems: Any OS running PHP and WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable theme active. PHP configuration (allow_url_include) may affect exploitability.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Local file inclusion allowing sensitive file disclosure (configuration files, credentials) and limited code execution.

🟢

If Mitigated

Limited impact if proper file permissions and web server configurations restrict access to sensitive directories.

🌐 Internet-Facing: HIGH - WordPress themes are typically internet-facing and vulnerable to unauthenticated attacks.

🏢 Internal Only: MEDIUM - Internal WordPress installations could still be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

PHP local file inclusion vulnerabilities are well-understood and often have public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 2.1.3 (check vendor for specific fixed version)

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/ludos-paradise/vulnerability/wordpress-ludos-paradise-theme-2-1-3-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Update Ludos Paradise theme to latest version. 2. If update not available, disable/remove the theme. 3. Replace with alternative secure theme.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Deactivate and remove the Ludos Paradise theme from WordPress

wp theme deactivate ludos-paradise
wp theme delete ludos-paradise

Restrict PHP file inclusion

linux

Configure PHP to disable dangerous functions and restrict file inclusion

Add to php.ini: allow_url_include = Off
Add to php.ini: open_basedir = /var/www/html

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block file inclusion patterns
Restrict file permissions and implement strict access controls on sensitive directories

🔍 How to Verify

Check if Vulnerable:

Check WordPress theme version in Appearance > Themes or use: wp theme list --field=name,status,version

Check Version:

wp theme list --field=name,version | grep ludos-paradise

Verify Fix Applied:

Confirm theme version is greater than 2.1.3 and test file inclusion attempts return errors

📡 Detection & Monitoring

Log Indicators:

Unusual file paths in PHP error logs
Multiple requests with ../ patterns
Requests to theme files with parameter manipulation

Network Indicators:

HTTP requests containing file inclusion patterns (../, /etc/passwd, php://)
Unusual traffic to theme PHP files

SIEM Query:

source="web_logs" AND (uri="*ludos-paradise*" AND (param="*../*" OR param="*php://*" OR param="*/etc/*"))

📊 Metadata

CVE ID: CVE-2025-49364

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-98

EPSS Score: 0.05% exploit probability (15.5th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Theme/ludos-paradise/vulnerability/wordpress-ludos-paradise-theme-2-1-3-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-49364, you might also want to check these: