CVE-2025-22311

CVE-2025-22311 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion (CWE-98), in the DeluxeThemes Private Messages for UserPro WordPress plugin (userpro-messaging). This issue affects all versions from n/a through 4.10.0 inclusive. Published on 2025-01-21, it carries a CVSS v3.1 base score of 7.5 (High), reflecting network accessibility (AV:N), high attack complexity (AC:H), no privileges required (PR:N), user interaction needed (UI:R), unchanged scope (S:U), and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability remotely by tricking users into interacting with malicious input, such as crafted links or parameters that manipulate filename controls in PHP include/require statements. Successful exploitation enables attackers to include and execute arbitrary remote files, potentially resulting in full server compromise, including data theft, modification, or denial of service.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/userpro-messaging/vulnerability/wordpress-private-messages-for-userpro-plugin-4-10-0-local-file-inclusion-vulnerability?_s_id=cve provides details on the vulnerability in the Private Messages for UserPro plugin version 4.10.0, recommending updates to patched versions where available.