How to fix CVE-2025-48125?

Within 24 hours: Identify all WordPress instances running WP Event Manager and document versions; disable the plugin as an immediate containment measure. Within 7 days: Monitor vendor communications for patch release; implement WAF rules to block malicious file inclusion requests; conduct web server logs review for exploitation attempts. Within 30 days: Upon patch availability, apply immediately; perform forensic analysis of access logs for indicators of compromise; restore from clean backups if exploitation confirmed.

Is PHP affected by CVE-2025-48125?

WP Event Manager versions up to 3.1.49 contain a critical file inclusion vulnerability that could allow attackers to execute arbitrary code on affected WordPress installations.

CVE-2025-48125

EUVD-2025-17527 HIGH

2025-06-09 [email protected]

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:21 euvd

EUVD-2025-17527

Analysis Generated

Mar 14, 2026 - 19:21 vuln.today

CVE Published

Jun 09, 2025 - 16:15 nvd

HIGH 8.1

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Event Manager WP Event Manager allows PHP Local File Inclusion. This issue affects WP Event Manager: from n/a through 3.1.49.

Analysis

Local File Inclusion (LFI) vulnerability in WP Event Manager WordPress plugin versions through 3.1.49 that allows unauthenticated remote attackers to include and execute arbitrary PHP files from the server filesystem. This CWE-98 vulnerability has a CVSS score of 8.1 (High severity) with high impact on confidentiality, integrity, and availability. While the vulnerability requires specific conditions (AC:H), its network accessibility and lack of authentication requirements make it a significant risk for affected WordPress installations.

Technical Context

This vulnerability stems from improper input validation in PHP file inclusion/require statements within the WP Event Manager plugin (CPE: wp:wp_event_manager). The root cause is CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), which occurs when user-supplied input is insufficiently sanitized before being passed to PHP functions like include(), require(), include_once(), or require_once(). The vulnerability allows attackers to manipulate file paths to access and execute local files on the server that would not normally be accessible through the web interface. Unlike Remote File Inclusion (RFI) attacks that require allow_url_include to be enabled, this LFI variant operates entirely within the local filesystem, making it more reliably exploitable across diverse server configurations.

Affected Products

WP Event Manager (through 3.1.49)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +40

POC: 0

CVE-2025-48125 vulnerability details – vuln.today

Back

CVE-2025-48125

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-48125

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code