CVE-2025-31016
Published: 31 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-31016 is an Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in the Crocoblock JetWooBuilder (jet-woo-builder) WordPress plugin. The flaw allows PHP Local File Inclusion and affects JetWooBuilder versions from n/a through <= 2.1.18. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-98. The CVE was published on 2025-03-31T06:15:30.650.
Low-privileged authenticated users can exploit this vulnerability over the network, though it requires high attack complexity and no user interaction. Exploitation enables high-impact effects on confidentiality, integrity, and availability, such as including and executing local PHP files to disclose sensitive data or perform unauthorized actions.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/jet-woo-builder/vulnerability/wordpress-jetwoobuilder-plugin-2-1-18-local-file-inclusion-vulnerability?_s_id=cve documents the local file inclusion vulnerability in the WordPress JetWooBuilder plugin version 2.1.18 and provides related details for mitigation.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI vulnerability in public-facing WordPress plugin enables exploitation of public-facing applications (T1190) and direct access to local system files for data disclosure (T1005).