CVE-2025-26957
Published: 25 February 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-26957 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Deetronix Affiliate Coupons WordPress plugin. This issue affects all versions of the plugin from n/a through 1.7.3 and is associated with CWE-98.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with high attack complexity, low privileges required, and no user interaction. Attackers with low-privilege access, such as authenticated WordPress users, can exploit it to achieve high impacts on confidentiality, integrity, and availability through local file inclusion.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/affiliate-coupons/vulnerability/wordpress-affiliate-coupons-plugin-1-7-3-local-file-inclusion-vulnerability?_s_id=cve details the local file inclusion vulnerability in the Affiliate Coupons plugin version 1.7.3. Security practitioners should consult this reference for mitigation guidance, such as updating the plugin beyond version 1.7.3 where available.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and facilitates collection of data from the target's local system via arbitrary file inclusion (T1005).