CVE-2025-68974
Published: 30 December 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-68974 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, described as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98). It affects the miniOrange WordPress Social Login and Register plugin (miniorange-login-openid) in all versions up to and including 7.7.0.
The vulnerability can be exploited over the network (AV:N) by attackers with high privileges (PR:H), such as authenticated administrators, under high attack complexity (AC:H) conditions and without requiring user interaction (UI:N). Successful exploitation results in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), with unchanged scope (S:U), yielding an overall CVSS v3.1 base score of 6.6.
Advisories and mitigation details, including patches, are documented in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/miniorange-login-openid/vulnerability/wordpress-wordpress-social-login-and-register-plugin-7-7-0-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
This is an unauthenticated remote Local File Inclusion (LFI) vulnerability in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications for initial access, with potential for arbitrary file reads and server compromise.