The vulnerability CVE-2025-49943 in AncoraThemes Femme arises from improper validation or control of filenames used in PHP include or require statements. This allows an attacker to perform Local File Inclusion (LFI), potentially exposing sensitive files or enabling code execution. The affected versions include all up to 1.3.11. The CVSS 3.1 base score is 8.1, reflecting a network attack vector with high impact on confidentiality, integrity, and availability. No patch or official fix information is currently available, and no exploits have been observed in the wild. The vulnerability is not related to a cloud service, so remediation requires vendor or user action.

Successful exploitation of this vulnerability can lead to unauthorized disclosure of sensitive information, modification of data, and disruption of service on systems running vulnerable versions of AncoraThemes Femme. The high CVSS score indicates a significant risk if exploited. However, there are no known active exploits reported at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider mitigating exposure by restricting access to vulnerable endpoints, applying web application firewalls with rules targeting LFI attempts, and monitoring for suspicious activity related to file inclusion. Avoid deploying vulnerable versions in production environments where possible.