Cyber Resilience

CVE-2025-28979

High

Published: 14 August 2025

Published
14 August 2025
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0055 68.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28979 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Thimpress Wp Pipes. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-28979 is an Improper Control of Filename for Include/Require Statement vulnerability in PHP programs, specifically a PHP Remote File Inclusion issue that enables PHP Local File Inclusion, affecting the ThimPress WP Pipes WordPress plugin in all versions from n/a through 1.4.3. Mapped to CWE-98, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact despite elevated complexity.

Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction, though it demands high attack complexity. Successful exploitation allows high confidentiality, integrity, and availability impacts, enabling attackers to include and execute arbitrary local PHP files, potentially leading to sensitive data exposure, code execution, or system compromise on affected WordPress sites running vulnerable WP Pipes versions.

The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-pipes/vulnerability/wordpress-wp-pipes-1-4-3-local-file-inclusion-vulnerability?_s_id=cve documents the local file inclusion vulnerability in WP Pipes 1.4.3 and provides associated mitigation guidance for WordPress administrators.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress WP Pipes allows PHP Local File Inclusion. This issue affects WP Pipes: from n/a through 1.4.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

LFI/RFI in public-facing WordPress plugin directly enables T1190 for initial access and T1505.003 via arbitrary PHP file execution as a web shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13408Shared CWE-98
CVE-2026-39387Shared CWE-98
CVE-2026-3425Shared CWE-98
CVE-2026-27383Shared CWE-98
CVE-2024-51319Shared CWE-98
CVE-2025-30845Shared CWE-98
CVE-2025-26985Shared CWE-98
CVE-2025-52732Shared CWE-98
CVE-2025-69078Shared CWE-98
CVE-2026-24538Shared CWE-98

Affected Assets

thimpress
wp pipes
≤ 1.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the PHP Local File Inclusion vulnerability in WP Pipes by applying patches, updates, or removal of the affected plugin versions.

prevent

Enforces validation of untrusted inputs controlling PHP include/require filenames to block malicious local file inclusion attempts exploiting this CVE.

detectrespond

Scans for and identifies the vulnerable WP Pipes plugin, enabling prioritization and remediation of this specific LFI vulnerability.

References