CVE-2025-25141

CVE-2025-25141 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98), in the zankover Fami Sales Popup WordPress plugin (fami-sales-popup). This issue affects all versions from n/a through 2.0.0. The vulnerability carries a CVSS v3.1 base score of 7.5 (High), with a network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), required user interaction (UI:R), unchanged scope (S:U), and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

Attackers can exploit this vulnerability remotely without authentication by tricking a user into performing an action that triggers the flawed include/require statement, such as via a crafted request or input. Given the local file inclusion nature, successful exploitation could allow attackers to include and potentially execute arbitrary local PHP files on the server, leading to sensitive data disclosure, code execution, or server compromise depending on the included files and server configuration.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/fami-sales-popup/vulnerability/wordpress-fami-sales-popup-plugin-2-0-0-local-file-inclusion-vulnerability?_s_id=cve details the vulnerability in the Fami Sales Popup plugin version 2.0.0 and provides associated mitigation guidance for WordPress administrators.