CVE-2025-49359
WordPress ShieldGroup theme <= 2.13 - Local File Inclusion vulnerability
In short
The WordPress ShieldGroup theme allows attackers to include and execute arbitrary files from the server through a vulnerable parameter. This lets attackers read sensitive files or run malicious code without needing an account.
Technical detail
A PHP Local File Inclusion (LFI) vulnerability exists in ShieldGroup theme <= 2.13 due to improper sanitization of filename parameters in include/require statements. An unauthenticated attacker can manipulate input to access arbitrary files on the server, potentially leading to information disclosure or remote code execution if combined with file upload capabilities.
Summary generated and translated by AI from the official description.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes ShieldGroup shieldgroup allows PHP Local File Inclusion.This issue affects ShieldGroup: from n/a through <= 2.13.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
AncoraThemes · ShieldGroupWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →