CVE-2025-53449
📋 TL;DR
This CVE describes a PHP Local File Inclusion vulnerability in the Convex WordPress theme. Attackers can include arbitrary local files through improper filename control in PHP include/require statements, potentially leading to sensitive information disclosure or code execution. WordPress sites using Convex theme versions up to and including 1.11 are affected.
💻 Affected Systems
- axiomthemes Convex WordPress Theme
📦 What is this software?
Convex by Axiomthemes
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through inclusion of malicious PHP files leading to remote code execution, sensitive file disclosure (including configuration files with database credentials), and complete site takeover.
Likely Case
Sensitive file disclosure (wp-config.php, /etc/passwd, etc.), partial code execution through existing PHP files, and potential privilege escalation.
If Mitigated
Limited impact due to proper file permissions, disabled PHP execution in upload directories, and web server security configurations.
🎯 Exploit Status
Exploitation requires identifying vulnerable include/require statements and crafting file path traversal payloads. Public exploit details available through security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.11 (check for 1.12 or later)
Vendor Advisory: https://patchstack.com/database/Wordpress/Theme/convex/vulnerability/wordpress-convex-theme-1-11-local-file-inclusion-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Update Convex theme to latest version via WordPress admin panel. 2. If update not available, remove theme and replace with secure alternative. 3. Clear WordPress cache after update.
🔧 Temporary Workarounds
Disable vulnerable theme
allSwitch to default WordPress theme or another secure theme
wp theme activate twentytwentyfour
wp theme delete convex
Restrict file inclusion paths
linuxConfigure PHP open_basedir to restrict accessible directories
open_basedir = "/var/www/html:/tmp" in php.ini
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block file inclusion patterns and path traversal attempts
- Restrict theme file permissions and implement strict file upload validation
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for Convex theme version. If version <= 1.11, system is vulnerable.Check Version:
wp theme list --field=name,status,version | grep convexVerify Fix Applied:
Confirm Convex theme version is >1.11. Test file inclusion attempts return proper errors instead of file contents.📡 Detection & Monitoring
Log Indicators:
- Unusual file path patterns in access logs (../../, /etc/passwd, wp-config.php)
- PHP include/require errors with traversal sequences
Network Indicators:
- HTTP requests with file path traversal in parameters
- Requests to theme files with unusual parameters
SIEM Query:
web_access_logs WHERE url CONTAINS '..' AND url CONTAINS 'theme' AND (url CONTAINS 'include' OR url CONTAINS 'require')