CVE-2025-23938
Published: 22 January 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-23938 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Image Gallery Box by CRUDLab WordPress plugin. This issue affects all versions from n/a through 1.0.3 and is associated with CWE-98. The vulnerability was published on 2025-01-22.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with high attack complexity, requiring low privileges, no user interaction, and unchanged scope. Low-privileged authenticated attackers can exploit it to achieve high impacts on confidentiality, integrity, and availability, such as unauthorized file access or execution via local file inclusion.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/image-gallery-box-by-crudlab/vulnerability/wordpress-image-gallery-box-by-crudlab-plugin-1-0-3-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The LFI vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) for initial access and unauthorized access to local system files for data collection (T1005), with high impacts on C/I/A via file inclusion.