CVE-2025-23952
Published: 26 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-23952 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98). It affects the WordPress plugin custom-field-list-widget, with all versions from n/a through 1.5.1 vulnerable. The issue was published on 2025-03-26 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility and significant impacts.
Remote attackers without privileges can exploit this vulnerability over the network, requiring no user interaction but high attack complexity. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially enabling attackers to include and execute arbitrary local PHP files.
Patchstack provides details on mitigation in its advisory at https://patchstack.com/database/Wordpress/Plugin/custom-field-list-widget/vulnerability/wordpress-custom-field-list-widget-plugin-1-5-1-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a local file inclusion vulnerability in a public-facing WordPress plugin allowing remote unauthenticated attackers to include and execute arbitrary local PHP files, directly enabling exploitation of public-facing applications for remote code execution.