CVE-2025-49360

WordPress Militarology theme <= 1.0.15 - Local File Inclusion vulnerability

CVSS 8.1 HIGHEPSS 0.5%CWE-98

In short

The WordPress Militarology theme versions up to 1.0.15 contains a flaw that allows attackers to include and execute arbitrary local files on the server through PHP code. This can lead to unauthorized access to sensitive files or execution of malicious code.

Technical detail

A PHP Local File Inclusion (LFI) vulnerability exists in the Militarology theme's improper handling of filename parameters in include/require statements. An unauthenticated attacker can manipulate input to traverse the file system and include arbitrary local files, potentially leading to information disclosure or remote code execution if combined with file upload mechanisms.

Summary generated and translated by AI from the official description.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Militarology militarology allows PHP Local File Inclusion.This issue affects Militarology: from n/a through <= 1.0.15.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

AncoraThemes · Militarology

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Theme/militarology/vulnerability/wordpress-militarology-theme-1-0-15-local-file-inclusion-vulnerability?_s_id=cve