Cyber Resilience

CVE-2025-25109

High

Published: 03 March 2025

Published
03 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0156 81.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25109 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-25109 is a PHP Local File Inclusion vulnerability caused by improper control of filenames in include/require statements (CWE-98). It affects the JoomSky WP Vehicle Manager plugin (js-vehicle-manager) for WordPress in all versions through 3.1.

An unauthenticated remote attacker can exploit the flaw over the network, albeit with high attack complexity, to include arbitrary local files. Successful exploitation can result in disclosure of sensitive information along with impacts to integrity and availability.

The sole reference points to a Patchstack advisory entry for the plugin, though no specific patch or mitigation details are supplied in the available data. The associated EPSS score remains low, with a current value of 0.0156 and a peak of 0.0171.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky WP Vehicle Manager js-vehicle-manager allows PHP Local File Inclusion.This issue affects WP Vehicle Manager: from n/a through <= 3.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a remote unauthenticated LFI vulnerability in a public-facing WordPress plugin allowing inclusion and execution of arbitrary local PHP files, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28087Shared CWE-98
CVE-2025-23952Shared CWE-98
CVE-2026-32505Shared CWE-98
CVE-2025-48149Shared CWE-98
CVE-2025-60058Shared CWE-98
CVE-2025-49994Shared CWE-98
CVE-2026-24531Shared CWE-98
CVE-2025-67527Shared CWE-98
CVE-2025-69396Shared CWE-98
CVE-2025-62067Shared CWE-98

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching and remediation of the specific PHP Local File Inclusion flaw in the WP Vehicle Manager plugin to eliminate the vulnerability.

prevent

Mandates validation of user-supplied filename inputs in PHP include/require statements to block path traversal and arbitrary local file inclusion.

preventdetect

Enforces boundary protection via web application firewalls or similar to monitor and block network-based exploitation attempts targeting the LFI vulnerability.

References