CVE-2025-25109
Published: 03 March 2025
Summary
CVE-2025-25109 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-25109 is a PHP Local File Inclusion vulnerability caused by improper control of filenames in include/require statements (CWE-98). It affects the JoomSky WP Vehicle Manager plugin (js-vehicle-manager) for WordPress in all versions through 3.1.
An unauthenticated remote attacker can exploit the flaw over the network, albeit with high attack complexity, to include arbitrary local files. Successful exploitation can result in disclosure of sensitive information along with impacts to integrity and availability.
The sole reference points to a Patchstack advisory entry for the plugin, though no specific patch or mitigation details are supplied in the available data. The associated EPSS score remains low, with a current value of 0.0156 and a peak of 0.0171.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5663
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky WP Vehicle Manager js-vehicle-manager allows PHP Local File Inclusion.This issue affects WP Vehicle Manager: from n/a through <= 3.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote unauthenticated LFI vulnerability in a public-facing WordPress plugin allowing inclusion and execution of arbitrary local PHP files, directly enabling exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching and remediation of the specific PHP Local File Inclusion flaw in the WP Vehicle Manager plugin to eliminate the vulnerability.
Mandates validation of user-supplied filename inputs in PHP include/require statements to block path traversal and arbitrary local file inclusion.
Enforces boundary protection via web application firewalls or similar to monitor and block network-based exploitation attempts targeting the LFI vulnerability.