CVE-2025-26985
Published: 25 February 2025
Summary
CVE-2025-26985 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a PHP Local File Inclusion flaw (CWE-98) arising from improper control of filenames in include/require statements within the Majestic Support WordPress plugin. It affects all versions through 1.0.6 and carries a CVSS 3.1 score of 8.1.
An unauthenticated remote attacker can exploit the issue over the network, albeit with high attack complexity, to include arbitrary local files. Successful exploitation can yield full control over confidentiality, integrity, and availability of the affected WordPress site.
The Patchstack advisory identifies the precise versions impacted and catalogs the local-file-inclusion vector, indicating that site operators should apply the vendor-supplied update that resolves the flaw. The associated EPSS score remains low, with only a modest rise from 0.0088 to a peak of 0.0131.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5373
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Majestic Support Majestic Support majestic-support allows PHP Local File Inclusion.This issue affects Majestic Support: from n/a through <= 1.0.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI vulnerability in public-facing WordPress plugin enables remote exploitation of the application (T1190) and facilitates arbitrary local PHP file inclusion/execution, commonly used to load and run web shells (T1100).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the improper filename control flaw in the Majestic Support WordPress plugin by identifying, reporting, and patching the PHP Local File Inclusion vulnerability.
Mandates information input validation mechanisms at entry points to sanitize and validate filenames supplied to PHP include/require statements, blocking arbitrary local file inclusion.
Enforces boundary protection using web application firewalls or proxies to inspect and block incoming requests with path traversal payloads targeting the file inclusion vulnerability.