CVE-2025-49366 is a Remote File Inclusion (RFI) vulnerability affecting AncoraThemes Hanani versions up to 1.2.11. The root cause is improper control over the filename parameter used in PHP include or require statements, allowing an attacker to specify a remote file URL that the server will include and execute. This flaw arises from insufficient validation or sanitization of user-supplied input that controls the file path in the PHP code. When exploited, an attacker can execute arbitrary PHP code remotely, leading to full compromise of the web application’s confidentiality and integrity. The vulnerability is remotely exploitable over the network without requiring authentication, though it requires some user interaction (e.g., visiting a malicious link). The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality and integrity, low attack complexity, no privileges required, and user interaction needed. No patches or exploit code are currently publicly available, but the vulnerability is published and known. This issue affects websites using the Hanani theme from AncoraThemes, which is a WordPress theme commonly used for business and portfolio sites. The vulnerability could be leveraged to deploy web shells, steal sensitive data, or pivot within the network. The lack of a patch at the time of disclosure increases risk for unpatched sites.

For European organizations, exploitation of this vulnerability could lead to unauthorized disclosure of sensitive information, website defacement, or full web server compromise. This is particularly critical for organizations relying on AncoraThemes Hanani for their public-facing websites, including SMEs and enterprises in sectors such as finance, healthcare, and government that host sensitive data or customer portals. Attackers could use the vulnerability to implant backdoors, steal credentials, or launch further attacks within the corporate network. The impact extends to reputational damage, regulatory non-compliance (e.g., GDPR breaches due to data exposure), and operational disruption if web services are manipulated or taken offline. Since the vulnerability requires no authentication and can be exploited remotely, it poses a significant risk to any exposed web server running the affected theme. The absence of known exploits in the wild currently offers a window for proactive mitigation, but the high CVSS score indicates that exploitation would be severe if it occurs.

1. Immediately monitor for updates or patches from AncoraThemes and apply them as soon as they become available. 2. Until patches are released, implement strict input validation and sanitization on all parameters controlling file includes, ensuring only expected local files can be referenced. 3. Disable allow_url_include in PHP configurations to prevent remote file inclusion. 4. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious include/require patterns or remote file inclusion attempts. 5. Conduct thorough code reviews of customizations to the Hanani theme to identify and remediate unsafe file inclusion logic. 6. Restrict web server permissions to limit the impact of any successful code execution. 7. Monitor web server logs for unusual requests or errors related to file inclusion. 8. Educate web administrators about the risks of RFI vulnerabilities and the importance of timely patching. 9. Consider isolating or sandboxing web applications to reduce lateral movement if compromise occurs.