CVE-2025-26979
Published: 25 February 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-26979 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98), in the Funnel Builder by FunnelKit WordPress plugin. This flaw affects all versions from n/a through 3.9.0 and was published on 2025-02-25.
A remote, unauthenticated attacker (PR:N) can exploit this over the network (AV:N), though it requires high attack complexity (AC:H) and user interaction (UI:R). Successful exploitation yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) with no scope change (S:U), resulting in a CVSS v3.1 base score of 7.5.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/funnel-builder/vulnerability/wordpress-funnel-builder-by-funnelkit-plugin-3-9-0-local-file-inclusion-vulnerability?_s_id=cve provides details on this vulnerability in the Funnel Builder by FunnelKit plugin version 3.9.0.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI in public-facing WordPress plugin directly enables T1190 for initial access and facilitates T1005 via arbitrary local file reads.