CVE-2025-39387
Published: 24 April 2025
Summary
CVE-2025-39387 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 31.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a PHP Local File Inclusion issue, tracked as CWE-98, in the wpoperations Opstore WordPress theme. It stems from improper control of filenames in include/require statements and affects all versions through 1.4.5. The flaw received a CVSS 7.5 rating reflecting network attack vectors with high complexity and required user interaction.
An unauthenticated remote attacker can supply a crafted filename to force inclusion of arbitrary local PHP files on the server. Successful exploitation can yield arbitrary code execution with the web server's privileges, potentially leading to full site compromise including data theft or further lateral movement.
The sole advisory reference is a Patchstack entry that catalogs the Local File Inclusion vulnerability in Opstore 1.4.5 and directs administrators to apply the corresponding theme update once released. EPSS scores remain low, with a current value of 0.0055 and a modest peak of 0.0106, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12064
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpoperations Opstore opstore allows PHP Local File Inclusion.This issue affects Opstore: from n/a through <= 1.4.5.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.