CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-53433

CVSS 9.8v3.1pub. 2025-12-18upd. 2026-04-15

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes EasyEat easyeat allows PHP Local File Inclusion.This issue affects EasyEat: from n/a through <= 1.9.0.

🤖 AI Analysis
How it works

The vulnerability results from improper control of the filename passed to the include/require instruction in the theme's PHP code. An attacker can manipulate the input parameter to point to any file locally accessible on the server. Authentication or user interaction is not required — the exploit can be carried out remotely over the network with minimal complexity.

Impact

An attacker can read sensitive system or configuration files (e.g., database credentials) and, under favorable conditions, execute malicious PHP code leading to complete server compromise.

Mitigation & patch

The EasyEat theme should be updated to a version higher than 1.9.0. If an update is not available, the theme should be immediately disabled and information from the vendor and Patchstack database should be reviewed at the address indicated in the references.

Who is affected

WordPress EasyEat theme (AncoraThemes) in versions from n/a to 1.9.0 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References