CVE-2025-28916
Published: 26 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-28916 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, referred to as PHP Remote File Inclusion, in the Rashid Docpro (docpro) WordPress plugin. The flaw allows PHP Local File Inclusion and affects all versions from n/a through 2.0.1. It is associated with CWE-98 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact confidentiality, integrity, and availability violations, potentially leading to server compromise through local file inclusion.
The Patchstack advisory provides details on this WordPress Docpro plugin 2.0.1 local file inclusion vulnerability, including mitigation guidance, at https://patchstack.com/database/Wordpress/Plugin/docpro/vulnerability/wordpress-docpro-plugin-2-0-1-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes an unauthenticated remote LFI vulnerability in a public-facing WordPress plugin that leads to server compromise, directly enabling exploitation of public-facing applications (T1190) and facilitating command/script execution via included PHP files on Unix-based servers (T1059.004).