CVE-2025-26890
Published: 27 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-26890 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the RealMag777 HUSKY woocommerce-products-filter WordPress plugin. This issue affects HUSKY versions from n/a through 1.3.6.4 and is associated with CWE-98. The vulnerability was published on 2025-03-27.
The CVSS v3.1 base score is 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility with high attack complexity, requiring low privileges, no user interaction, and no scope change, but with high impacts on confidentiality, integrity, and availability. Low-privileged authenticated users can exploit it remotely to perform local file inclusion, potentially reading sensitive files or achieving further compromise depending on server configuration.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woocommerce-products-filter/vulnerability/wordpress-husky-plugin-1-3-6-4-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI vulnerability in public-facing WordPress plugin directly enables remote exploitation of the application (T1190) and retrieval of sensitive local files (T1005).