CVE-2025-49363

WordPress Kings & Queens theme <= 1.1.16 - Local File Inclusion vulnerability

CVSS 8.1 HIGHEPSS 0.6%CWE-98

In short

The Kings & Queens WordPress theme version 1.1.16 and earlier contains a flaw that allows attackers to include and execute arbitrary local files on the server. This can lead to unauthorized access to sensitive data or remote code execution.

Technical detail

CWE-98 (Improper Control of Filename for Include/Require Statement) in the Kings & Queens theme permits local file inclusion (LFI) through inadequately sanitized file path parameters. An unauthenticated attacker can leverage this to include arbitrary files from the server filesystem, potentially leading to information disclosure or arbitrary code execution if combined with file upload capabilities.

Summary generated and translated by AI from the official description.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Kings & Queens kings-queens allows PHP Local File Inclusion.This issue affects Kings & Queens: from n/a through <= 1.1.16.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

AncoraThemes · Kings & Queens

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Theme/kings-queens/vulnerability/wordpress-kings-queens-theme-1-1-16-local-file-inclusion-vulnerability?_s_id=cve