CVE-2025-49360 is a vulnerability identified in the AncoraThemes Militarology WordPress theme, specifically versions up to and including 1.0.15. The issue arises from improper control over the filename used in PHP include or require statements, leading to a Local File Inclusion (LFI) vulnerability. This flaw allows an attacker to manipulate the input to include arbitrary files from the server's filesystem, potentially exposing sensitive data or enabling code execution if combined with other vulnerabilities. The vulnerability is remotely exploitable over the network without requiring authentication, though it requires user interaction, such as clicking a crafted link or visiting a malicious page. The CVSS v3.1 base score is 8.1, reflecting high severity due to the potential for high confidentiality and integrity impact, while availability impact is rated as none. The vulnerability does not currently have known exploits in the wild, but the risk remains significant given the ease of exploitation and the sensitive nature of data that can be accessed. The vulnerability was reserved in June 2025 and published in December 2025, indicating recent discovery. AncoraThemes has not yet released a patch, and no direct patch links are available. The vulnerability affects the Militarology theme, which is used primarily in WordPress environments, a popular CMS platform worldwide. The flaw stems from insufficient validation or sanitization of user-supplied input used in PHP include or require statements, a common source of LFI vulnerabilities. Attackers exploiting this vulnerability can read arbitrary files on the server, potentially including configuration files, credentials, or other sensitive data, and may also manipulate application logic or escalate attacks if combined with other vulnerabilities.

For European organizations, the impact of CVE-2025-49360 can be significant, especially for those relying on the Militarology theme for their WordPress-based websites. The vulnerability can lead to unauthorized disclosure of sensitive information such as configuration files, user data, or credentials, compromising confidentiality. Integrity is also at risk, as attackers may alter files or inject malicious code, potentially leading to website defacement or further compromise. Although availability is not directly impacted, the indirect effects of data breaches or website defacement can disrupt business operations and damage reputation. Organizations in sectors such as government, finance, healthcare, and e-commerce, which often handle sensitive data and maintain public-facing websites, are particularly vulnerable. The ease of exploitation without authentication increases the risk of widespread attacks, especially if attackers craft phishing campaigns to induce user interaction. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once the vulnerability is public. European organizations must consider the potential regulatory implications under GDPR if personal data is exposed due to this vulnerability.

1. Monitor AncoraThemes official channels for a security patch addressing CVE-2025-49360 and apply it immediately upon release. 2. Until a patch is available, restrict file inclusion paths by configuring PHP settings such as open_basedir to limit accessible directories, reducing the risk of arbitrary file inclusion. 3. Implement Web Application Firewalls (WAFs) with rules specifically designed to detect and block LFI attack patterns, including suspicious include/require parameter manipulations. 4. Conduct thorough code reviews and security audits of the Militarology theme and any customizations to identify and remediate unsafe file inclusion practices. 5. Employ strict input validation and sanitization on all user-supplied data that could influence file inclusion logic. 6. Limit user interaction vectors by educating users on phishing risks and suspicious links that could trigger exploitation. 7. Maintain regular backups of website data and configurations to enable quick recovery in case of compromise. 8. Consider temporarily disabling or replacing the Militarology theme with a more secure alternative if immediate patching is not possible. 9. Monitor web server and application logs for unusual access patterns or errors indicative of LFI attempts. 10. Ensure that PHP error reporting is configured not to expose sensitive path information to end users, reducing information leakage.