CVE-2025-68563
Published: 24 December 2025
Summary
CVE-2025-68563 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-68563 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, described as PHP Remote File Inclusion but enabling PHP Local File Inclusion, affecting the WordPress plugin Subscribe to Unlock Lite (subscribe-to-unlock-lite). The issue impacts all versions from n/a through 1.3.0 and is associated with CWE-98.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with high attack complexity, low privileges required, and no user interaction. An authenticated attacker with low privileges could leverage this to achieve high impacts on confidentiality, integrity, and availability, such as executing arbitrary local files on the server.
Patchstack provides details on this vulnerability, including mitigation guidance, at https://patchstack.com/database/Wordpress/Plugin/subscribe-to-unlock-lite/vulnerability/wordpress-subscribe-to-unlock-lite-plugin-1-3-0-local-file-inclusion-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-205186
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Unlock Lite subscribe-to-unlock-lite allows PHP Local File Inclusion.This issue affects Subscribe to Unlock Lite: from n/a through <= 1.3.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated remote file inclusion (LFI) in a public-facing WordPress plugin, directly enabling exploitation of a public-facing application for remote code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely identification, reporting, and patching of the PHP LFI flaw in the Subscribe to Unlock Lite WordPress plugin.
Requires validation of user-supplied filename inputs to PHP include/require statements, comprehensively preventing arbitrary local file inclusion exploitation.
Provides vulnerability scanning to identify the specific PHP LFI vulnerability (CVE-2025-68563) in the affected WordPress plugin.