CVE-2025-49362

WordPress Gracioza theme <= 1.0.15 - Local File Inclusion vulnerability

CVSS 8.1 HIGHEPSS 0.6%CWE-98

In short

The WordPress Gracioza theme up to version 1.0.15 has a flaw that allows attackers to include and execute arbitrary local files on the server. This can lead to unauthorized access to sensitive information or server takeover.

Technical detail

A PHP Local File Inclusion (LFI) vulnerability exists in the Gracioza theme due to improper input validation on file inclusion parameters. An authenticated or unauthenticated attacker can manipulate include/require statements to access sensitive local files (e.g., configuration files, source code), potentially leading to information disclosure or remote code execution if combined with file upload mechanisms.

Summary generated and translated by AI from the official description.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Gracioza gracioza allows PHP Local File Inclusion.This issue affects Gracioza: from n/a through <= 1.0.15.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

AncoraThemes · Gracioza

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Theme/gracioza/vulnerability/wordpress-gracioza-theme-1-0-15-local-file-inclusion-vulnerability?_s_id=cve