CVE-2025-52815: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-52815) was discovered in AncoraThemes CityGov WordPress theme affecting all versions through 1.9. The vulnerability was disclosed on June 25, 2025, and is classified as a PHP Remote File Inclusion vulnerability, specifically an Improper Control of Filename for Include/Require Statement in PHP Program (NVD, Patchstack).

The vulnerability has been assigned a CVSS v3.1 score of 8.1 (High) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The vulnerability requires no authentication to exploit and can be triggered remotely (Patchstack).

This vulnerability allows malicious actors to include and access local files of the target website and display their contents. Particularly concerning is the potential access to sensitive files containing credentials, such as database configuration files, which could lead to complete database compromise depending on the server configuration (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website owners are advised to implement these mitigations immediately (Patchstack).