CVE-2025-54031
Published: 20 August 2025
Summary
CVE-2025-54031 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-54031 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, known as PHP Remote File Inclusion, which allows PHP Local File Inclusion in the Schiocco Support Board WordPress plugin. This issue affects Support Board versions from n/a through <= 3.8.0. The vulnerability is associated with CWE-98 and has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote, unauthenticated attackers can exploit this vulnerability over the network, though it requires high attack complexity and no user interaction. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing attackers to read sensitive local files or execute arbitrary code depending on the inclusion mechanism.
Patchstack provides details on this WordPress plugin vulnerability, including mitigation guidance, in its database entry at https://patchstack.com/database/Wordpress/Plugin/supportboard/vulnerability/wordpress-support-board-3-8-0-local-file-inclusion-vulnerability?_s_id=cve. The vulnerability was published on 2025-08-20T08:15:46.730.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25317
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Schiocco Support Board supportboard allows PHP Local File Inclusion.This issue affects Support Board: from n/a through <= 3.8.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI/RFI in public-facing WordPress plugin directly enables T1190 exploitation and arbitrary PHP code execution via web shell inclusion (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely patching of the vulnerable Schiocco Support Board WordPress plugin versions <=3.8.0 to fix the improper filename control in PHP include/require statements.
Enforces validation of user-supplied filenames and inputs to the PHP include/require functions, preventing local file inclusion exploitation as described in CWE-98.
Establishes secure configuration settings for PHP such as open_basedir restrictions and disabling remote file inclusion to limit the scope of file access in vulnerable plugins.