Cyber Resilience

CVE-2025-26985

High

Published: 25 February 2025

Published
25 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0088 75.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26985 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a PHP Local File Inclusion flaw (CWE-98) arising from improper control of filenames in include/require statements within the Majestic Support WordPress plugin. It affects all versions through 1.0.6 and carries a CVSS 3.1 score of 8.1.

An unauthenticated remote attacker can exploit the issue over the network, albeit with high attack complexity, to include arbitrary local files. Successful exploitation can yield full control over confidentiality, integrity, and availability of the affected WordPress site.

The Patchstack advisory identifies the precise versions impacted and catalogs the local-file-inclusion vector, indicating that site operators should apply the vendor-supplied update that resolves the flaw. The associated EPSS score remains low, with only a modest rise from 0.0088 to a peak of 0.0131.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Majestic Support Majestic Support majestic-support allows PHP Local File Inclusion.This issue affects Majestic Support: from n/a through <= 1.0.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

LFI vulnerability in public-facing WordPress plugin enables remote exploitation of the application (T1190) and facilitates arbitrary local PHP file inclusion/execution, commonly used to load and run web shells (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13408Shared CWE-98
CVE-2026-39387Shared CWE-98
CVE-2026-3425Shared CWE-98
CVE-2026-27383Shared CWE-98
CVE-2024-51319Shared CWE-98
CVE-2025-30845Shared CWE-98
CVE-2025-52732Shared CWE-98
CVE-2025-69078Shared CWE-98
CVE-2026-24538Shared CWE-98
CVE-2025-54031Shared CWE-98

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the improper filename control flaw in the Majestic Support WordPress plugin by identifying, reporting, and patching the PHP Local File Inclusion vulnerability.

prevent

Mandates information input validation mechanisms at entry points to sanitize and validate filenames supplied to PHP include/require statements, blocking arbitrary local file inclusion.

preventdetect

Enforces boundary protection using web application firewalls or proxies to inspect and block incoming requests with path traversal payloads targeting the file inclusion vulnerability.

References