Cyber Resilience

CVE-2025-6715

Critical

Published: 13 August 2025

Published
13 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0097 77.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6715 is a critical-severity an unspecified weakness vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-6715 is a Local File Inclusion (LFI) vulnerability in the LatePoint WordPress plugin versions prior to 5.1.94. The flaw arises from inadequate sanitization of the "layout" parameter, allowing attackers to include arbitrary files from the local filesystem and execute PHP code within them. Published on 2025-08-13, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote code execution.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By manipulating the "layout" parameter, they can include and execute any PHP file on the server, enabling arbitrary code execution that compromises confidentiality, integrity, and availability to a high degree, potentially leading to full server takeover.

The WPScan advisories at the referenced URLs detail the issue and recommend updating to LatePoint version 5.1.94 or later to mitigate the vulnerability, as earlier versions remain susceptible to this LFI-to-RCE attack vector.

EU & UK References

Vulnerability details

The LatePoint WordPress plugin before 5.1.94 is vulnerable to Local File Inclusion via the layout parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those…

more

files.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

LFI in public-facing WordPress plugin directly enables T1190 exploitation for unauthenticated RCE; PHP file inclusion/execution maps to T1059.006 scripting interpreter abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification and patching of the LFI flaw in the LatePoint WordPress plugin prior to version 5.1.94, directly eliminating the vulnerability as recommended by advisories.

prevent

Mandates validation of the unsanitized 'layout' parameter to prevent inclusion of arbitrary local files leading to PHP code execution.

prevent

Enforces restrictions on the 'layout' parameter at the web application boundary to block path traversal payloads exploiting the LFI vulnerability.

References