CVE-2025-22656
Published: 18 February 2025
Summary
CVE-2025-22656 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability CVE-2025-22656 is an improper control of filename for include/require statements in a PHP program, classified as a PHP Local File Inclusion flaw under CWE-98. It affects the Cookie Monster WordPress plugin by Oscar Alvarez, with all versions through 1.2.2 impacted. The issue carries a CVSS 3.1 score of 8.1, reflecting a network-accessible vector with high attack complexity but no required privileges or user interaction.
An unauthenticated remote attacker can exploit the flaw to include arbitrary local files on the server. Successful exploitation can result in disclosure of sensitive information, modification of data, or full disruption of the affected application, given the high impact ratings across confidentiality, integrity, and availability.
The sole reference advisory is published by Patchstack and details the local file inclusion vulnerability in the Cookie Monster plugin. The EPSS score remains low, with a recorded peak of 0.0218 and current value of 0.0113.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4779
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Oscar Alvarez Cookie Monster cookie-monster allows PHP Local File Inclusion.This issue affects Cookie Monster: from n/a through <= 1.2.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an unauthenticated LFI vulnerability in a public-facing WordPress plugin, directly enabling remote exploitation of the web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring identification, reporting, and patching of the vulnerable Cookie Monster WordPress plugin versions through <=1.2.2.
Mandates validation of filename inputs to PHP include/require statements in the plugin, preventing local file inclusion exploitation.
Requires vulnerability scanning that identifies the PHP local file inclusion flaw in Cookie Monster plugin versions <=1.2.2 for timely remediation.