Login Sign Up

CVE-2025-53443

8.1 HIGH

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Smash theme from AxiomThemes. All versions up to and including 1.7 are vulnerable.

💻 Affected Systems

Products:
  • AxiomThemes Smash WordPress Theme
Versions: n/a through <= 1.7
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress with the Smash theme installed and activated.

📦 What is this software?

Smash by Axiomthemes

View all CVEs affecting Smash →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through inclusion of sensitive files like /etc/passwd or PHP session files, potentially leading to remote code execution.

🟠

Likely Case

Information disclosure of sensitive server files, configuration files, or source code.

🟢

If Mitigated

Limited impact if file permissions are properly configured and sensitive files are not accessible.

🌐 Internet-Facing: HIGH - WordPress themes are typically internet-facing and this vulnerability can be exploited remotely.
🏢 Internal Only: MEDIUM - Internal systems could still be vulnerable if accessed by malicious insiders or through other compromised systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Local File Inclusion vulnerabilities are commonly exploited and weaponization is likely given the public disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 1.7

Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/smash/vulnerability/wordpress-smash-theme-1-7-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Update the Smash theme to version >1.7 through WordPress admin panel. 2. If update not available, remove the theme entirely. 3. Verify the update by checking theme version in Appearance > Themes.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Switch to a different WordPress theme and deactivate/remove the Smash theme

wp theme deactivate smash
wp theme delete smash

Restrict PHP file inclusion

all

Configure PHP to restrict file inclusion paths via open_basedir or disable allow_url_include

php.ini: open_basedir = /var/www/html
php.ini: allow_url_include = Off

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block LFI patterns
  • Restrict file system access through proper file permissions and disable unnecessary PHP functions

🔍 How to Verify

Check if Vulnerable:

Check WordPress theme version in Appearance > Themes or use: wp theme list | grep smash

Check Version:

wp theme list --field=name,status,version | grep smash

Verify Fix Applied:

Confirm Smash theme version is >1.7 or theme is removed: wp theme status smash

📡 Detection & Monitoring

Log Indicators:

  • Unusual file path patterns in web server logs
  • Multiple requests with ../ sequences or file inclusion parameters

Network Indicators:

  • HTTP requests with file inclusion parameters like ?file=../../../etc/passwd

SIEM Query:

web.url:*file=* AND web.url:*../*

📊 Metadata

CVE ID: CVE-2025-53443
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-98
EPSS Score: 0.17% exploit probability (37.5th percentile)
Published: December 18, 2025
Last Updated: January 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-53443, you might also want to check these:

CVE-2025-25174 10.0

This CVE describes a PHP Local File Inclusion vulnerability in the BeeTeam368 Extensions WordPress p...

Same vulnerability type (CWE-98)
CVE-2025-49994 9.8

This vulnerability allows attackers to include local files on the server through improper filename c...

Same vulnerability type (CWE-98)
CVE-2025-50003 9.8

This vulnerability allows attackers to include local PHP files through improper filename control in ...

Same vulnerability type (CWE-98)