CVE-2025-26957
Published: 25 February 2025
Summary
CVE-2025-26957 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2025-26957 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Deetronix Affiliate Coupons WordPress plugin. This issue affects all versions of the plugin from n/a through 1.7.3 and is associated with CWE-98.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with high attack complexity, low privileges required, and no user interaction. Attackers with low-privilege access, such as authenticated WordPress users, can exploit it to achieve high impacts on confidentiality, integrity, and availability through local file inclusion.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/affiliate-coupons/vulnerability/wordpress-affiliate-coupons-plugin-1-7-3-local-file-inclusion-vulnerability?_s_id=cve details the local file inclusion vulnerability in the Affiliate Coupons plugin version 1.7.3. Security practitioners should consult this reference for mitigation guidance, such as updating the plugin beyond version 1.7.3 where available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5409
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Deetronix Affiliate Coupons affiliate-coupons allows PHP Local File Inclusion.This issue affects Affiliate Coupons: from n/a through <= 1.7.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and facilitates collection of data from the target's local system via arbitrary file inclusion (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the known PHP LFI flaw in the Affiliate Coupons WordPress plugin through patching or upgrades directly prevents exploitation across affected versions up to 1.7.3.
Validating filenames and paths input to the plugin's include/require statements blocks malicious local file inclusion attempts by ensuring completeness, correctness, and absence of suspicious content.
Vulnerability scanning and monitoring identifies the PHP LFI vulnerability (CVE-2025-26957) in installed WordPress plugins, enabling proactive flaw remediation.