CVE-2025-1707
Published: 11 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-1707 is a Local File Inclusion (LFI) vulnerability (CWE-98) affecting the Review Schema plugin for WordPress in all versions up to and including 2.2.4. The flaw occurs via post meta handling, enabling the inclusion and execution of arbitrary files on the server. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentiality, integrity, and availability impacts.
Authenticated attackers with contributor-level permissions or higher can exploit this vulnerability remotely over the network with low complexity. By manipulating post meta, they can include arbitrary files, execute PHP code within those files, bypass access controls, obtain sensitive data, or achieve remote code execution if PHP files are uploadable and includable.
Wordfence advisories provide detailed threat intelligence on the vulnerability, while the plugin's Trac repository shows the vulnerable code at line 108 in ReviewSchema.php (version 2.2.4) and a patch applied in changeset 3253799. Security practitioners should update the plugin beyond version 2.2.4 to mitigate the issue.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI in public-facing WordPress plugin enables remote file inclusion and PHP code execution by authenticated users, directly mapping to exploitation of public-facing applications (T1190) and command/scripting interpreter usage for RCE (T1059).