CVE-2025-23949
Published: 22 January 2025
Summary
CVE-2025-23949 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a PHP Local File Inclusion flaw (CWE-98) in the Improved Sale Badges – Free Version WordPress plugin. It arises from improper control of filenames passed to include/require statements and affects all versions through 1.0.1.
An unauthenticated attacker can exploit the issue remotely over the network, although the attack requires high complexity. Successful exploitation can permit an attacker to include arbitrary local PHP files, resulting in high impact to confidentiality, integrity, and availability.
The issue is tracked in the Patchstack advisory database, which identifies the affected plugin versions and links to the corresponding CVE record. The EPSS score remains low and unchanged at 0.0161 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3562
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dzeriho Improved Sale Badges – Free Version improved-sale-badges-free-version allows PHP Local File Inclusion.This issue affects Improved Sale Badges – Free Version: from n/a through…
more
<= 1.0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote local file inclusion vulnerability in a public-facing WordPress plugin that allows unauthenticated attackers to include and execute arbitrary local files, directly mapping to exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of information inputs such as filenames used in PHP include/require statements, directly preventing local file inclusion exploits.
SI-2 mandates timely remediation of identified flaws, mitigating this CVE by patching the vulnerable Improved Sale Badges WordPress plugin.
RA-5 requires vulnerability monitoring and scanning, enabling detection of the LFI vulnerability in the affected plugin versions.