CVE-2025-46468
Published: 23 May 2025
Summary
CVE-2025-46468 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 21.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The CVE-2025-46468 vulnerability is an improper control of filename for include/require statement in PHP programs, described as a PHP Remote File Inclusion flaw that permits PHP Local File Inclusion. It affects the Fable Extra plugin by WPFable on WordPress, with all versions from n/a through 1.0.6 impacted and a CVSS 3.1 score of 9.8 under CWE-98.
Unauthenticated attackers with network access can exploit the issue without user interaction or credentials to include arbitrary local files, resulting in high impact to confidentiality, integrity, and availability on the target server.
The Patchstack advisory at the referenced URL documents the local file inclusion vulnerability in the fable-extra plugin. The EPSS score remains flat at 0.0106 with no material increase observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28050
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPFable Fable Extra fable-extra allows PHP Local File Inclusion.This issue affects Fable Extra: from n/a through <= 1.0.6.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.