CVE-2025-52815
Description
The CityGov WordPress theme <=1.9 has a Local File Inclusion vulnerability allowing attackers to read sensitive files like database credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The CityGov WordPress theme <=1.9 has a Local File Inclusion vulnerability allowing attackers to read sensitive files like database credentials.
Vulnerability
Overview
The CityGov WordPress theme by AncoraThemes, versions up to and including 1.9, contains a Local File Inclusion (LFI) vulnerability due to improper control of filenames used in PHP include/require statements [1]. This flaw allows an attacker to manipulate file paths and include arbitrary local files from the server.
Exploitation
An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the affected theme, without requiring authentication [1]. The attack surface is broad, as the theme is used on many WordPress sites, and the vulnerability is expected to be targeted in mass-exploit campaigns.
Impact
Successful exploitation enables an attacker to read sensitive local files, such as wp-config.php, which contains database credentials. This could lead to complete database takeover, depending on the server configuration [1]. The CVSS score of 8.1 (High) reflects the severity and ease of exploitation.
Mitigation
The vendor has released a patched version; users should update CityGov to version 1.10 or later immediately [1]. If updating is not possible, users are advised to contact their hosting provider or a web developer for assistance.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.