CVE-2025-26964
Published: 25 February 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-26964 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion, in the Arraytics Eventin wp-event-solution WordPress plugin. It enables PHP Local File Inclusion and affects Eventin versions from n/a through 4.0.20.
The vulnerability carries a CVSS v3.1 base score of 7.5 (High), with an attack vector of network (AV:N), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H). Attackers with low privileges can exploit it remotely under high-complexity conditions to perform local file inclusion, potentially leading to unauthorized file access or code execution depending on server configuration.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-0-20-local-file-inclusion-vulnerability?_s_id=cve) documents the local file inclusion issue in WordPress Eventin plugin version 4.0.20.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and local file access for data collection (T1005).