CVE-2025-48330
Published: 06 November 2025
Description
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Security Summary
CVE-2025-48330 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion (CWE-98), in the WordPress plugin Real Time Validation for Gravity Forms (real-time-validation-for-gravity-forms). The flaw enables PHP Local File Inclusion and affects all versions from n/a through 1.7.0 inclusive. Published on 2025-11-06, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote, unauthenticated attacker can exploit this vulnerability over the network, though it requires high attack complexity and user interaction. Exploitation allows inclusion of arbitrary local PHP files, potentially resulting in high-impact confidentiality, integrity, and availability violations, such as unauthorized access to sensitive data or code execution depending on the included files.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/real-time-validation-for-gravity-forms/vulnerability/wordpress-real-time-validation-for-gravity-forms-1-7-0-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI in public-facing WordPress plugin enables public-facing app exploitation (T1190), arbitrary local file reads for data collection (T1005), and access to credentials in files like wp-config.php (T1552.001).