CVE-2025-28979
Published: 14 August 2025
Summary
CVE-2025-28979 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Thimpress Wp Pipes. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-28979 is an Improper Control of Filename for Include/Require Statement vulnerability in PHP programs, specifically a PHP Remote File Inclusion issue that enables PHP Local File Inclusion, affecting the ThimPress WP Pipes WordPress plugin in all versions from n/a through 1.4.3. Mapped to CWE-98, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact despite elevated complexity.
Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction, though it demands high attack complexity. Successful exploitation allows high confidentiality, integrity, and availability impacts, enabling attackers to include and execute arbitrary local PHP files, potentially leading to sensitive data exposure, code execution, or system compromise on affected WordPress sites running vulnerable WP Pipes versions.
The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-pipes/vulnerability/wordpress-wp-pipes-1-4-3-local-file-inclusion-vulnerability?_s_id=cve documents the local file inclusion vulnerability in WP Pipes 1.4.3 and provides associated mitigation guidance for WordPress administrators.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24733
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress WP Pipes allows PHP Local File Inclusion. This issue affects WP Pipes: from n/a through 1.4.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI/RFI in public-facing WordPress plugin directly enables T1190 for initial access and T1505.003 via arbitrary PHP file execution as a web shell.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the PHP Local File Inclusion vulnerability in WP Pipes by applying patches, updates, or removal of the affected plugin versions.
Enforces validation of untrusted inputs controlling PHP include/require filenames to block malicious local file inclusion attempts exploiting this CVE.
Scans for and identifies the vulnerable WP Pipes plugin, enabling prioritization and remediation of this specific LFI vulnerability.