CVE-2025-23945
Published: 03 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-23945 is an Improper Control of Filename for Include/Require Statement vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Popliup WordPress plugin. The issue affects Popliup versions from n/a through 1.1.1 and is associated with CWE-98. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Low-privileged authenticated users can exploit this vulnerability remotely with high attack complexity and no user interaction. Successful exploitation results in high impacts to confidentiality, integrity, and availability, allowing attackers to include local files via improper filename controls in PHP include/require statements.
The Patchstack advisory provides further details on this vulnerability, available at https://patchstack.com/database/Wordpress/Plugin/popliup/vulnerability/wordpress-popliup-plugin-1-1-1-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an LFI in a public-facing WordPress plugin exploitable by low-privileged authenticated users, directly enabling exploitation of public-facing applications (T1190) and privilege escalation via high-impact code execution or file inclusion (T1068).