CVE-2025-53440: Axiomthemes Confidant PHP Local File Inclusion (LFI) Vulnerability – CVSS 8.1 HIGH
CVE-2025-53440 is a PHP Local File Inclusion (LFI) vulnerability in Axiomthemes Confidant that allows an attacker to manipulate file path inputs, potentially leading to the inclusion and execution of arbitrary files on the affected server. The vulnerability stems from improper validation of filenames used in PHP include/require statements. An attacker can exploit this over the network without authentication to read sensitive files or execute malicious code, posing a significant risk to websites using vulnerable versions of Confidant.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-98
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Confidant allows PHP Local File Inclusion. This issue affects Confidant: from n/a through 1.4.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and manifests as a PHP Remote File Inclusion (RFI)/Local File Inclusion (LFI) flaw. The root cause is insufficient input validation on filenames passed to PHP's include() or require() functions. An attacker can craft requests containing directory traversal sequences or file paths that cause the application to load unintended files from the server filesystem or, in certain configurations, from remote locations. The CVSS 3.1 score of 8.1 reflects the high impact on confidentiality, integrity, and availability, with network accessibility but requiring higher complexity to exploit (likely due to specific application state or parameter conditions).
Business impact
Exploitation of this vulnerability could allow attackers to read sensitive configuration files, database credentials, private keys, and other confidential data stored on the server. In worst-case scenarios, attackers could execute arbitrary PHP code, leading to complete server compromise, malware installation, or unauthorized data modification. Organizations running affected Confidant versions face risk of data breaches, website defacement, service disruption, and potential compliance violations depending on data exposure and regulatory obligations.
Affected systems
Axiomthemes Confidant versions 1.4 and earlier are affected. Organizations should audit their deployments to identify running versions and prioritize updates. The vendor information is limited in available structured data; operators should verify their specific installed version against Axiomthemes official documentation or contact the vendor for comprehensive affected-version confirmation.
Exploitability
The vulnerability is exploitable remotely without authentication, making it accessible to unauthenticated threat actors. However, the CVSS attack complexity rating of 'High' suggests that successful exploitation may require knowledge of specific file paths, particular server configurations, or application-specific conditions. While not trivial, determined attackers with reconnaissance of the target environment can likely craft working payloads. The lack of KEV (Known Exploited Vulnerability) status as of the current update does not eliminate real-world risk, particularly if proof-of-concept details or active exploitation becomes public.
Remediation
Organizations should immediately update Axiomthemes Confidant to the latest patched version beyond 1.4. Before patching, implement network-level controls such as Web Application Firewall (WAF) rules to block requests containing directory traversal sequences (../, ..\ ) and suspicious file path patterns. Review server logs for signs of exploitation attempts. Additionally, apply the principle of least privilege to file system permissions, limiting the PHP process's ability to read sensitive files outside the application directory.
Patch guidance
Verify the availability of a patched version from Axiomthemes beyond version 1.4 through their official website or vendor advisory. Apply patches promptly in a controlled test environment before production deployment to ensure compatibility with existing configurations and plugins. Document the patch version applied for audit and compliance tracking. Organizations should establish a recurring update schedule to prevent similar vulnerabilities from remaining unpatched.
Detection guidance
Monitor web server logs for HTTP requests containing URL-encoded or raw directory traversal sequences (%2e%2e%2f, ../, etc.) targeting common PHP include/require file parameters. Inspect access logs for unusual file includes from unexpected paths (e.g., /etc/passwd, /proc/self/, config files). Implement intrusion detection signatures that flag attempts to include files outside the intended application directory. Review PHP error logs for warnings related to failed file inclusions or unexpected include paths. Conduct regular code review or static analysis of Confidant installations to identify exposed include/require statements accepting unsanitized user input.
Why prioritize this
With a CVSS score of 8.1 (HIGH severity), network accessibility, and no authentication requirement, this vulnerability merits urgent remediation. File inclusion flaws are well-understood attack vectors with proven exploitation techniques. The potential impact on confidentiality, integrity, and availability is severe. Organizations should prioritize patching Confidant instances within days rather than weeks, particularly if the affected systems are internet-facing or handle sensitive data.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects: (1) Network Attack Vector (AV:N) — remotely exploitable without physical access; (2) High Attack Complexity (AC:H) — requires specific conditions or knowledge but not impossible; (3) No Privileges Required (PR:N) — unauthenticated exploitation; (4) No User Interaction (UI:N) — fully automated attack possible; (5) Unchanged Scope (S:U) — impact limited to the vulnerable component; (6) High Confidentiality, Integrity, and Availability Impact (C:H/I:H/A:H) — file inclusion can lead to data theft, code execution, and service disruption. This scoring reflects a serious but not critical vulnerability; organizations should treat it with urgency.
Frequently asked questions
Can this vulnerability be exploited remotely without any credentials?
Yes. CVE-2025-53440 requires no authentication, allowing unauthenticated attackers to craft malicious requests over the network. The barrier is technical knowledge of the application's include/require parameters and target file paths, not access credentials.
What is the difference between Local File Inclusion (LFI) and Remote File Inclusion (RFI) in this context?
LFI allows an attacker to include files already present on the server, such as configuration or system files. RFI, in some configurations, allows inclusion of files from remote servers. This CVE description emphasizes LFI but notes it can also manifest as RFI depending on PHP settings (allow_url_include). Regardless of the inclusion source, the outcome is arbitrary code execution or data disclosure.
Do I need to patch immediately if my Confidant installation is behind a WAF or network firewall?
While network controls can reduce exposure, they are not a substitute for patching. A properly configured WAF can block obvious exploitation attempts, but attackers may craft bypasses or use obfuscation techniques. Patch Confidant as soon as feasible to eliminate the underlying vulnerability rather than relying solely on perimeter controls.
Is there a workaround if I cannot patch Confidant immediately?
No guaranteed workaround exists, but you can reduce risk by restricting network access to Confidant through firewall rules or IP whitelisting, disabling PHP's allow_url_include directive if enabled, applying strict file system permissions to limit readable files, and monitoring logs closely for exploitation attempts while preparing for a timely patch deployment.
This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publish and modification dates noted. Readers should verify all remediation steps, patch availability, and affected version details directly with Axiomthemes official advisories and their own security teams. SEC.co makes no warranty regarding the completeness or accuracy of vendor-provided information. Organizations are responsible for assessing their environment and implementing appropriate security measures. Exploit details or weaponized proof-of-concept information are not included in this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-58024HIGHUnboundStudio Accordion FAQ Local File Inclusion Vulnerability – CVSS 7.5 HIGH
- CVE-2025-58705HIGHCrafti PHP Local File Inclusion (LFI) Vulnerability – Patch Guide
- CVE-2025-58707HIGHPHP Local File Inclusion in Axiomthemes Spin 1.8
- CVE-2025-58897HIGHAxiomthemes Fermentio PHP Local File Inclusion Vulnerability (CVSS 8.1)
- CVE-2025-68886HIGHandroThemes Cookiteer PHP Local File Inclusion Vulnerability – CVSS 8.1
- CVE-2025-69369HIGHAxiomthemes Racquet File Inclusion Vulnerability (CVSS 8.1)
- CVE-2026-37266HIGHResponsive File Manager 9.14.0 Remote Code Execution via force_download.php
- CVE-2026-39552HIGHPHP Local File Inclusion in Code Supply Co. Blueprint – Patch Guidance