CVE-2025-27272
Published: 24 February 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-27272 is an Improper Control of Filename for Include/Require Statement vulnerability, classified as a PHP Remote File Inclusion issue but enabling PHP Local File Inclusion (LFI), in the vinagecko VG PostCarousel (vg-postcarousel) WordPress plugin. This flaw affects all versions of the plugin up to and including 1.1, stemming from CWE-98. The vulnerability carries a CVSS v3.1 base score of 7.5 (High), reflecting network accessibility with high attack complexity.
Low-privileged authenticated users (PR:L) can exploit this vulnerability over the network without user interaction. Successful exploitation allows attackers to include and execute arbitrary local files on the server, potentially leading to high-impact confidentiality, integrity, and availability compromises, such as unauthorized data access or server-side code execution depending on file availability and server configuration.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/vg-postcarousel/vulnerability/wordpress-vg-postcarousel-plugin-1-1-local-file-inclusion-vulnerability?_s_id=cve details the vulnerability and recommends updating to a patched version beyond 1.1 or removing the plugin if no update is available.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing WordPress plugin allows LFI leading to arbitrary file inclusion and potential server-side code execution; directly facilitates exploitation of public-facing apps for access (T1190), privilege escalation from low-priv authenticated users (T1068), and command/script execution via included PHP files (T1059).