Cyber Resilience

CVE-2025-46468

Critical

Published: 23 May 2025

Published
23 May 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0106 78.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-46468 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 21.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The CVE-2025-46468 vulnerability is an improper control of filename for include/require statement in PHP programs, described as a PHP Remote File Inclusion flaw that permits PHP Local File Inclusion. It affects the Fable Extra plugin by WPFable on WordPress, with all versions from n/a through 1.0.6 impacted and a CVSS 3.1 score of 9.8 under CWE-98.

Unauthenticated attackers with network access can exploit the issue without user interaction or credentials to include arbitrary local files, resulting in high impact to confidentiality, integrity, and availability on the target server.

The Patchstack advisory at the referenced URL documents the local file inclusion vulnerability in the fable-extra plugin. The EPSS score remains flat at 0.0106 with no material increase observed.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPFable Fable Extra fable-extra allows PHP Local File Inclusion.This issue affects Fable Extra: from n/a through <= 1.0.6.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References