CVE-2025-30849 identifies a Local File Inclusion (LFI) vulnerability in the g5theme Essential Real Estate WordPress theme, specifically in versions up to 5.2.0. The vulnerability stems from improper control over the filename parameter used in PHP's include or require statements. This flaw allows an attacker to manipulate the input to include arbitrary files from the server's filesystem. Such an attack can lead to disclosure of sensitive files (e.g., configuration files, password stores), or in some cases, remote code execution if combined with other vulnerabilities or writable file locations. The vulnerability is categorized as a PHP Remote File Inclusion type but is actually a Local File Inclusion since it involves local files. The root cause is insufficient input validation or sanitization of user-controlled parameters that dictate which files are included by the PHP application. No official patches or exploit code are currently published, but the vulnerability is publicly disclosed and assigned CVE-2025-30849. The affected product is a popular WordPress theme used in real estate websites, which often handle sensitive client data and business-critical information. The absence of a CVSS score requires an expert severity assessment based on impact and exploitability factors.

The primary impact of this vulnerability is unauthorized access to sensitive files on the web server, which can lead to information disclosure including credentials, configuration files, or other private data. In some scenarios, attackers might leverage this flaw to execute arbitrary code, escalate privileges, or pivot within the network. For organizations, this can result in data breaches, loss of customer trust, regulatory penalties, and operational disruption. Real estate websites often contain personal client information and financial data, increasing the risk and potential damage. Since the vulnerability does not require authentication and can be triggered remotely, the attack surface is broad. Exploitation could also facilitate further attacks such as webshell deployment or lateral movement. The lack of known exploits currently reduces immediate risk but the public disclosure increases the likelihood of future exploitation attempts.

Organizations should immediately monitor for any suspicious file inclusion attempts in web server logs and implement web application firewall (WAF) rules to block malicious input patterns targeting include/require parameters. Once available, update the g5theme Essential Real Estate theme to a patched version that properly validates and sanitizes input used in file inclusion functions. In the interim, restrict PHP include paths using open_basedir or disable allow_url_include in PHP configurations to limit file inclusion scope. Employ principle of least privilege on web server file permissions to minimize accessible files. Conduct code reviews and penetration testing focused on file inclusion vectors. Additionally, consider isolating the affected application environment and applying network segmentation to limit potential lateral movement if exploitation occurs. Regular backups and incident response plans should be prepared in case of compromise.