CVE-2025-53435 – This CVE describes a PHP Local File Inclusion v... (How to Fix)

Q: What is the severity of CVE-2025-53435?

CVE-2025-53435 has a CVSS score of 8.1 (HIGH). This CVE describes a PHP Local File Inclusion vulnerability in the Plan My Day WordPress theme. Attackers can include arbitrary local files, potentially leading to sensitive information disclosure or remote code execution. All WordPress sites using Plan My Day theme version 1.1.13 or earlier are affected.

📋 TL;DR

This CVE describes a PHP Local File Inclusion vulnerability in the Plan My Day WordPress theme. Attackers can include arbitrary local files, potentially leading to sensitive information disclosure or remote code execution. All WordPress sites using Plan My Day theme version 1.1.13 or earlier are affected.

💻 Affected Systems

Products:

WordPress Plan My Day Theme

Versions: <= 1.1.13

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable theme active.

📦 What is this software?

Plan My Day by Axiomthemes

View all CVEs affecting Plan My Day →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials) and limited code execution within web server context.

🟢

If Mitigated

No impact if proper file permissions and web server configurations prevent unauthorized file access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of file paths but is straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: >1.1.13

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/planmyday/vulnerability/wordpress-plan-my-day-theme-1-1-13-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Check for Plan My Day theme updates. 4. Update to latest version. 5. If no update available, replace with secure alternative theme.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Switch to a different WordPress theme immediately

Restrict PHP file inclusion

linux

Configure PHP to disable allow_url_include and restrict open_basedir

php_admin_value allow_url_include Off
php_admin_value open_basedir /var/www/html

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block file inclusion patterns
Restrict file system permissions to web server user

🔍 How to Verify

Check if Vulnerable:

Check WordPress theme version in Appearance > Themes or wp-content/themes/planmyday/style.css

Check Version:

grep 'Version' /path/to/wordpress/wp-content/themes/planmyday/style.css

Verify Fix Applied:

Confirm theme version is >1.1.13 and test file inclusion attempts return errors

📡 Detection & Monitoring

Log Indicators:

Unusual file path requests in access logs
PHP include/require errors with suspicious paths
Multiple 404 errors for non-existent theme files

Network Indicators:

HTTP requests with file path parameters like ?file=../../../etc/passwd
Unusual outbound connections after successful exploitation

SIEM Query:

source="web_access.log" AND (uri="*?file=*" OR uri="*?page=*" OR uri="*?include=*") AND status=200

📊 Metadata

CVE ID: CVE-2025-53435

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.17% exploit probability (37.5th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Theme/planmyday/vulnerability/wordpress-plan-my-day-theme-1-1-13-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-53435, you might also want to check these: