Skip to main content

Modal Survey CVE-2025-39468

HIGH
PHP Remote File Inclusion (CWE-98)
2025-11-06 audit@patchstack.com
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 24, 2026 - 01:06 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:43 NVD
CRITICAL HIGH
CVSS changed
Apr 23, 2026 - 15:43 NVD
9.8 (CRITICAL) 8.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pantherius Modal Survey modal-survey.This issue affects Modal Survey: from n/a through <= 2.0.2.0.1.

AnalysisAI

Remote file inclusion in Modal Survey WordPress plugin through version 2.0.2.0.1 allows unauthenticated attackers to include and execute arbitrary PHP files via manipulated include/require statements. Exploitation requires complex conditions (AC:H) but no authentication, potentially leading to complete site compromise. EPSS score of 0.14% (35th percentile) suggests low probability of mass exploitation. Patchstack security audit identified this vulnerability as exploitable for both remote file inclusion and local file inclusion.

Technical ContextAI

This vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement), a classic PHP security flaw where user-controlled input is passed directly to file inclusion functions (include, require, include_once, require_once) without proper validation. Modal Survey is a WordPress plugin developed by pantherius for creating survey modals. The plugin fails to sanitize file path parameters before using them in PHP file inclusion statements, enabling attackers to traverse directories or reference remote URLs. WordPress plugins commonly suffer from this vulnerability class when implementing dynamic template loading, AJAX handlers, or file upload processing without strict allowlisting of permitted file paths. The CVSS vector indicates network-based exploitation (AV:N) with high attack complexity (AC:H), suggesting exploitation requires specific knowledge of file paths, race conditions, or particular plugin configurations.

Affected ProductsAI

WordPress Modal Survey plugin versions through 2.0.2.0.1 developed by pantherius. The vulnerability affects all versions from the initial release up to and including version 2.0.2.0.1. No CPE identifier provided in available data. Patchstack vulnerability database reference: https://patchstack.com/database/Wordpress/Plugin/modal-survey/vulnerability/wordpress-modal-survey-plugin-2-0-2-0-1-local-file-inclusion-vulnerability

RemediationAI

Update Modal Survey plugin to version 2.0.2.0.2 or later if available (verify current patched version at WordPress.org plugin repository or Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/modal-survey/vulnerability/wordpress-modal-survey-plugin-2-0-2-0-1-local-file-inclusion-vulnerability). If no patched version exists, immediately deactivate and remove the Modal Survey plugin until a fix is released. Compensating controls for organizations requiring continued operation: implement Web Application Firewall rules blocking requests with path traversal sequences (../, .%2e, %2e%2e) and null byte injections (%00) to plugin endpoints; restrict plugin directory permissions to prevent writing attacker-controlled files for inclusion; disable allow_url_include in PHP configuration (php.ini) to prevent remote file inclusion while permitting only local file inclusion (reduces exploitability but does not eliminate information disclosure risk). Note that WAF rules may cause false positives if the plugin legitimately processes file paths in surveys. Monitor WordPress access logs for suspicious requests to /wp-content/plugins/modal-survey/ containing unusual file parameters or directory traversal patterns.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2025-39468 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy