CVE-2025-26979
Published: 25 February 2025
Summary
CVE-2025-26979 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a PHP Local File Inclusion issue stemming from improper control of filenames in include/require statements, tracked as CWE-98. It affects the Funnel Builder by FunnelKit WordPress plugin in all versions through 3.9.0 and carries a CVSS 3.1 score of 7.5.
An unauthenticated remote attacker can exploit the flaw over the network, though successful exploitation requires high attack complexity and user interaction. Successful abuse allows the attacker to include arbitrary local files, resulting in high impact to confidentiality, integrity, and availability on the affected site.
The EPSS score rose from a low baseline to a peak of 0.0119, indicating emerging exploitation interest after disclosure. Details and further guidance are available in the Patchstack advisory for the plugin.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5416
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Aman Funnel Builder by FunnelKit funnel-builder allows PHP Local File Inclusion.This issue affects Funnel Builder by FunnelKit: from n/a through <= 3.9.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress plugin directly enables T1190 for initial access and facilitates T1005 via arbitrary local file reads.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, prioritization, and correction of the PHP Local File Inclusion flaw in the Funnel Builder plugin, directly mitigating CVE-2025-26979.
Enforces validation of user-supplied filenames prior to use in PHP include/require statements, preventing improper control exploited in this LFI vulnerability.
Supports ongoing vulnerability scanning to identify the presence of CVE-2025-26979 in installed WordPress plugins like Funnel Builder.