CVE-2025-31387
Published: 31 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-31387 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the InstaWP Connect WordPress plugin (instawp-connect). This issue affects all versions up to and including 0.1.0.82, as documented under CWE-98.
The vulnerability can be exploited by a remote, unauthenticated attacker over the network (AV:N), though it requires high attack complexity (AC:H) and user interaction (UI:R), with no privileges needed (PR:N) and unchanged scope (S:U). Successful exploitation yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), resulting in a CVSS v3.1 base score of 7.5. Attackers can leverage the local file inclusion to include and potentially execute arbitrary local PHP files on the server.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-0-82-local-file-inclusion-vulnerability?_s_id=cve. The vulnerability was published on 2025-03-31.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a local file inclusion vulnerability in a publicly accessible WordPress plugin allowing remote unauthenticated attackers to include and execute arbitrary local PHP files, directly mapping to exploitation of public-facing applications.