CVE-2025-23949
Published: 22 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-23949 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, referred to as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the WordPress plugin Improved Sale Badges – Free Version by dzeriho. This issue affects all versions from n/a through 1.0.1 inclusive. The vulnerability is associated with CWE-98 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability remotely over the network without requiring user interaction, though exploitation demands high attack complexity. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing attackers to include and execute arbitrary local files on the server.
Advisories, such as the Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/improved-sale-badges-free-version/vulnerability/wordpress-improved-sale-badges-free-version-plugin-1-0-1-local-file-inclusion-vulnerability?_s_id=cve), provide details on the vulnerability in the context of WordPress plugin security. Mitigation involves updating to a patched version beyond 1.0.1, as the issue affects versions up to that release.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote local file inclusion vulnerability in a public-facing WordPress plugin that allows unauthenticated attackers to include and execute arbitrary local files, directly mapping to exploitation of a public-facing application.