CVE-2025-31387
Published: 31 March 2025
Summary
CVE-2025-31387 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-31387 is a PHP Local File Inclusion vulnerability arising from improper control of filenames in include/require statements. It affects the InstaWP Connect WordPress plugin in versions up to and including 0.1.0.82 and is tracked under CWE-98.
The flaw can be exploited by unauthenticated remote attackers who supply crafted input to force inclusion of arbitrary local files on the server. Successful exploitation, which requires user interaction and presents high attack complexity per the CVSS 7.5 rating, can result in disclosure of sensitive information as well as impacts to integrity and availability.
The issue is documented in the Patchstack vulnerability database, which serves as the primary advisory reference for this CVE. The current EPSS score of 0.0101 with a modest peak of 0.0147 indicates limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8707
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in InstaWP InstaWP Connect instawp-connect allows PHP Local File Inclusion.This issue affects InstaWP Connect: from n/a through <= 0.1.0.82.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a local file inclusion vulnerability in a publicly accessible WordPress plugin allowing remote unauthenticated attackers to include and execute arbitrary local PHP files, directly mapping to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through patching the InstaWP Connect plugin to a version beyond 0.1.0.82 directly eliminates the PHP Local File Inclusion vulnerability.
Validating filenames and paths in PHP include/require statements ensures only authorized local files can be included, preventing arbitrary file inclusion.
Secure PHP configuration settings, such as open_basedir restrictions or disabling allow_url_include, limit the scope of potential local file inclusions.