PHP CVE-2025-49258

| EUVD-2025-28290 HIGH
PHP Remote File Inclusion (CWE-98)
2025-06-17 [email protected]
PHP Information Disclosure
8.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-28290
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
CVE Published
Jun 17, 2025 - 15:15 nvd
HIGH 8.1

DescriptionNVD

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Maia allows PHP Local File Inclusion. This issue affects Maia: from n/a through 1.1.15.

AnalysisAI

PHP Local File Inclusion (LFI) vulnerability in thembay Maia versions up to 1.1.15, caused by improper control of filenames in PHP include/require statements (CWE-98). An unauthenticated remote attacker can exploit this over the network with high complexity to read arbitrary files on the server, potentially leading to code execution, information disclosure, and system compromise. The vulnerability has a CVSS 3.1 score of 8.1 (High severity) with network accessibility and no privilege requirements, though exploitation requires non-standard conditions (AC:H).

Technical ContextAI

This vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), a classic PHP security flaw where user-controlled input is passed unsanitized to PHP's include(), require(), include_once(), or require_once() functions. The affected product is thembay Maia (a PHP-based application, likely a WordPress theme or plugin given the vendor name), versions from an unspecified baseline through 1.1.15. The root cause is insufficient input validation/sanitization before file inclusion operations, allowing attackers to specify arbitrary file paths. While the CVE description mentions 'Remote File Inclusion' in the title, the actual vulnerability is Local File Inclusion (LFI), permitting access to files accessible by the web server process (e.g., /etc/passwd, application source code, configuration files with credentials). In some contexts, LFI can escalate to RCE via log poisoning, session file inclusion, or other chaining techniques.

RemediationAI

  1. Immediate: Identify and audit all instances of thembay Maia in your environment (versions <=1.1.15). 2. Patching: Upgrade to a patched version greater than 1.1.15 as soon as available from thembay. Monitor vendor advisories and release notes for the security patch. 3. Temporary mitigation (if patching is delayed): Implement Web Application Firewall (WAF) rules to block requests containing LFI payloads (e.g., directory traversal patterns like ../, encoded variants ..%2f, null bytes); restrict file inclusion to a whitelist of safe, internal files; disable remote file inclusion in PHP configuration (php.ini: allow_url_include = Off, allow_url_fopen = Off). 4. Detection: Review web server and application logs for suspicious file path patterns in GET/POST parameters that indicate LFI exploitation attempts. 5. Long-term: Conduct code review of include/require statements in Maia to identify and remediate all instances of unsanitized filename control.

Share

CVE-2025-49258 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy