CVE-2025-39468
Published: 06 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-39468 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion (CWE-98), in the pantherius Modal Survey WordPress plugin. This issue affects Modal Survey versions from n/a through 2.0.2.0.1. Published on 2025-11-06, it carries a CVSS v3.1 base score of 8.1 (High), reflecting network accessibility with high confidentiality, integrity, and availability impacts.
The vulnerability enables exploitation by unauthenticated remote attackers (AV:N/PR:N/UI:N), though it requires high attack complexity (AC:H) with unchanged scope (S:U). Successful attacks can lead to high-level compromise, including potential remote code execution, arbitrary file inclusion, data disclosure, modification, or denial of service (C:H/I:H/A:H).
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/modal-survey/vulnerability/wordpress-modal-survey-plugin-2-0-2-0-1-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a Remote File Inclusion (RFI) in a public-facing WordPress plugin, enabling unauthenticated remote code execution, directly mapping to exploitation of public-facing applications.