CVE-2025-52815: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in AncoraThemes CityGov
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CityGov allows PHP Local File Inclusion. This issue affects CityGov: from n/a through 1.9.
AI Analysis
Technical Summary
CVE-2025-52815 is a high-severity vulnerability classified under CWE-98: Improper Control of Filename for Include/Require Statement in PHP Programs, commonly known as a Remote File Inclusion (RFI) or Local File Inclusion (LFI) vulnerability. This specific vulnerability affects the AncoraThemes CityGov product, versions up to 1.9. The flaw arises because the application improperly controls the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input to include arbitrary files. Although the description mentions PHP Local File Inclusion, the underlying CWE-98 typically involves scenarios where an attacker can influence the file path to include remote or local files. Exploiting this vulnerability can lead to arbitrary code execution, full system compromise, or disclosure of sensitive information by including malicious or unintended files. The CVSS v3.1 base score is 8.1, indicating a high severity with network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits are currently reported in the wild, and no patches have been linked yet, which suggests that the vulnerability is newly disclosed and may be targeted soon. The vulnerability is critical for web servers running the CityGov theme, which is used primarily in municipal or government-related websites built on PHP platforms, possibly WordPress or similar CMS environments. Attackers exploiting this flaw can execute arbitrary PHP code remotely, leading to full server takeover, data theft, defacement, or pivoting to internal networks.
Potential Impact
For European organizations, particularly local governments, municipalities, and public sector entities using the AncoraThemes CityGov product, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access to sensitive citizen data, disruption of public services, and damage to the trustworthiness of government digital infrastructure. Given the high confidentiality, integrity, and availability impacts, attackers could manipulate public information, cause denial of service, or use compromised servers as a foothold for further attacks within critical infrastructure. The lack of required privileges and user interaction means attackers can exploit this remotely and autonomously, increasing the risk of widespread attacks. Additionally, the public sector in Europe is a frequent target for cyber espionage and hacktivism, making this vulnerability attractive for threat actors aiming to disrupt government operations or leak sensitive data. The absence of patches increases the window of exposure, and the high attack complexity suggests that while exploitation is not trivial, skilled attackers can leverage this flaw effectively.
Mitigation Recommendations
Immediate mitigation steps include: 1) Restricting web server access to trusted IP addresses where possible to limit exposure. 2) Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious include/require parameter manipulations, such as attempts to traverse directories or include remote files. 3) Disabling allow_url_include and allow_url_fopen directives in PHP configurations to prevent remote file inclusion vectors. 4) Applying strict input validation and sanitization on any parameters used in include/require statements, ideally using whitelisting approaches to allow only known safe files. 5) Monitoring logs for unusual requests targeting include or require parameters. 6) Segregating the web server environment with least privilege principles to limit the impact of a successful exploit. 7) Contacting AncoraThemes or monitoring their official channels for patches or updates and applying them promptly once available. 8) Conducting a thorough security audit of all PHP code in the CityGov theme to identify and remediate similar unsafe file inclusion patterns. These measures go beyond generic advice by focusing on configuration hardening, proactive detection, and code-level remediation specific to this vulnerability.
Affected Countries
Germany, France, Italy, Spain, Poland, Netherlands, Belgium, Sweden, Austria, Denmark
CVE-2025-52815: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in AncoraThemes CityGov
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CityGov allows PHP Local File Inclusion. This issue affects CityGov: from n/a through 1.9.
AI-Powered Analysis
Technical Analysis
CVE-2025-52815 is a high-severity vulnerability classified under CWE-98: Improper Control of Filename for Include/Require Statement in PHP Programs, commonly known as a Remote File Inclusion (RFI) or Local File Inclusion (LFI) vulnerability. This specific vulnerability affects the AncoraThemes CityGov product, versions up to 1.9. The flaw arises because the application improperly controls the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input to include arbitrary files. Although the description mentions PHP Local File Inclusion, the underlying CWE-98 typically involves scenarios where an attacker can influence the file path to include remote or local files. Exploiting this vulnerability can lead to arbitrary code execution, full system compromise, or disclosure of sensitive information by including malicious or unintended files. The CVSS v3.1 base score is 8.1, indicating a high severity with network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits are currently reported in the wild, and no patches have been linked yet, which suggests that the vulnerability is newly disclosed and may be targeted soon. The vulnerability is critical for web servers running the CityGov theme, which is used primarily in municipal or government-related websites built on PHP platforms, possibly WordPress or similar CMS environments. Attackers exploiting this flaw can execute arbitrary PHP code remotely, leading to full server takeover, data theft, defacement, or pivoting to internal networks.
Potential Impact
For European organizations, particularly local governments, municipalities, and public sector entities using the AncoraThemes CityGov product, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access to sensitive citizen data, disruption of public services, and damage to the trustworthiness of government digital infrastructure. Given the high confidentiality, integrity, and availability impacts, attackers could manipulate public information, cause denial of service, or use compromised servers as a foothold for further attacks within critical infrastructure. The lack of required privileges and user interaction means attackers can exploit this remotely and autonomously, increasing the risk of widespread attacks. Additionally, the public sector in Europe is a frequent target for cyber espionage and hacktivism, making this vulnerability attractive for threat actors aiming to disrupt government operations or leak sensitive data. The absence of patches increases the window of exposure, and the high attack complexity suggests that while exploitation is not trivial, skilled attackers can leverage this flaw effectively.
Mitigation Recommendations
Immediate mitigation steps include: 1) Restricting web server access to trusted IP addresses where possible to limit exposure. 2) Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious include/require parameter manipulations, such as attempts to traverse directories or include remote files. 3) Disabling allow_url_include and allow_url_fopen directives in PHP configurations to prevent remote file inclusion vectors. 4) Applying strict input validation and sanitization on any parameters used in include/require statements, ideally using whitelisting approaches to allow only known safe files. 5) Monitoring logs for unusual requests targeting include or require parameters. 6) Segregating the web server environment with least privilege principles to limit the impact of a successful exploit. 7) Contacting AncoraThemes or monitoring their official channels for patches or updates and applying them promptly once available. 8) Conducting a thorough security audit of all PHP code in the CityGov theme to identify and remediate similar unsafe file inclusion patterns. These measures go beyond generic advice by focusing on configuration hardening, proactive detection, and code-level remediation specific to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-06-19T10:03:36.791Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 685e88efca1063fb875de545
Added to database: 6/27/2025, 12:05:03 PM
Last enriched: 6/27/2025, 12:22:00 PM
Last updated: 8/13/2025, 12:10:07 AM
Views: 8
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.