CVE-2025-31432
Published: 28 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-31432 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but manifesting as PHP Local File Inclusion, in the Chop Chop Pop-Up (also referred to as Pop-Up Chop Chop) WordPress plugin. This issue affects all versions from n/a through 2.1.7.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network by an attacker with low privileges, requiring high attack complexity but no user interaction. Successful exploitation enables high-impact confidentiality, integrity, and availability violations, such as unauthorized access to local files via inclusion.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/pop-up/vulnerability/wordpress-pop-up-chop-chop-2-1-7-local-file-inclusion-vulnerability?_s_id=cve details the local file inclusion vulnerability specifically in the WordPress Pop-Up Chop Chop plugin version 2.1.7.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and unauthorized access to local system files (T1005).