CVE-2025-31405
Published: 04 April 2025
Summary
CVE-2025-31405 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 21.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a PHP Local File Inclusion issue (CWE-98) stemming from improper control of filenames in include/require statements. It affects the Fami WooCommerce Compare plugin for WordPress, developed by zankover, in all versions through 1.0.5.
An unauthenticated remote attacker can exploit the flaw by supplying a crafted filename parameter that results in inclusion of arbitrary local files on the server. Successful exploitation, which requires user interaction and carries high attack complexity per the CVSS 7.5 rating, can yield full control over confidentiality, integrity, and availability of the affected WordPress site.
The Patchstack advisory for this issue recommends updating the plugin beyond version 1.0.5 once a fixed release is available. The associated EPSS score remains low, with a current value of 0.0106 and a peak of only 0.0139.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9748
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zankover Fami WooCommerce Compare fami-woocommerce-compare allows PHP Local File Inclusion.This issue affects Fami WooCommerce Compare: from n/a through <= 1.0.5.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.