CVE-2025-23915
Published: 16 January 2025
Summary
CVE-2025-23915 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-23915 is an improper control of filename for include/require statement vulnerability, classified under CWE-98, that permits PHP local file inclusion. It affects the roninwp FAT Event Lite WordPress plugin in versions from n/a through 1.1 and carries a CVSS 3.1 score of 7.5.
An authenticated attacker with low privileges can supply a crafted filename over the network to force inclusion of arbitrary local files. Successful exploitation can result in disclosure of sensitive information, modification of application behavior, or full compromise of the host depending on the included file contents, though the attack requires high complexity and no user interaction.
The primary advisory reference is published by Patchstack and details the authenticated non-arbitrary local file inclusion issue in the plugin. No separate patch or mitigation steps are described in the available reference.
EPSS remains flat at 0.0136 with no material rise observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3530
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Event Lite fat-event-lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a through <= 1.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI vulnerability in publicly accessible WordPress plugin directly enables exploitation of public-facing applications (T1190) and local file disclosure for data collection (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-23915 by requiring timely remediation and patching of the flawed PHP include/require functionality in the FAT Event Lite plugin.
Prevents local file inclusion by validating filenames supplied to PHP include/require statements before processing.
Restricts filenames for PHP includes to an approved whitelist, blocking unauthorized local file paths even for authenticated low-privilege users.