CVE-2025-23948
Published: 22 January 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-23948 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion, affecting the WordPress plugin Background animation blocks (background-animation-blocks) by Webarea. This flaw impacts all versions from n/a through 2.1.5. The vulnerability carries a CVSS v3.1 base score of 8.1 (High), with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, and is associated with CWE-98.
Unauthenticated remote attackers can exploit this vulnerability over the network without requiring user interaction, though exploitation demands high attack complexity. Successful attacks enable high-impact consequences, including unauthorized access to confidential data, modification of system integrity, and disruption of availability.
Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/background-animation-blocks/vulnerability/wordpress-background-animation-blocks-plugin-2-1-5-local-file-inclusion-vulnerability?_s_id=cve, provide details on the vulnerability and associated mitigations for affected WordPress installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote/local file inclusion vulnerability in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications (T1190) and unauthorized access to data from local system files (T1005).