CVE-2025-26760
Published: 22 February 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-26760 is an Improper Control of Filename for Include/Require Statement vulnerability, known as PHP Remote File Inclusion, that enables PHP Local File Inclusion (CWE-98) in the Wow-Company Calculator Builder WordPress plugin (calculator-builder). This issue affects all versions from n/a through 1.6.2.
The vulnerability has a CVSS v3.1 base score of 7.5 (High), with vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. Remote unauthenticated attackers can exploit it over the network, though it requires high attack complexity and user interaction, such as a victim visiting a crafted webpage. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, enabling local file inclusion that could disclose sensitive files or lead to further code execution.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/calculator-builder/vulnerability/wordpress-calculator-builder-plugin-1-6-2-local-file-inclusion-vulnerability?_s_id=cve) details the local file inclusion vulnerability in Calculator Builder plugin version 1.6.2 and provides associated mitigation guidance.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The LFI vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing applications via T1190. It also facilitates data collection from the local system (T1005) by allowing inclusion of sensitive files, potentially leading to disclosure or further impacts as described.