PHP CVE-2025-49282

| EUVD-2025-17548 HIGH
PHP Remote File Inclusion (CWE-98)
2025-06-09 [email protected]
PHP Information Disclosure
8.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17548
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 16:15 nvd
HIGH 8.1

DescriptionNVD

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magze allows PHP Local File Inclusion. This issue affects Magze: from n/a through 1.0.9.

AnalysisAI

PHP Local File Inclusion (LFI) vulnerability in Unfoldwp Magze versions up to 1.0.9 that allows unauthenticated remote attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. This is a network-accessible vulnerability with high attack complexity but complete impact on confidentiality, integrity, and availability (CVSS 8.1). The vulnerability likely affects WordPress plugin deployments where Magze is installed, and successful exploitation could lead to remote code execution through log poisoning or other LFI-to-RCE chains.

Technical ContextAI

This vulnerability exploits CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), a classic PHP web application flaw. The root cause is insufficient input validation and sanitization on user-supplied parameters that are directly passed to PHP include() or require() functions. Unlike Remote File Inclusion (RFI), LFI restricts file inclusion to files already present on the target server, but can still achieve code execution through: (1) log file poisoning (including Apache/Nginx access logs with PHP code), (2) session file manipulation, (3) temporary file exploitation, or (4) directory traversal to sensitive application files. Unfoldwp Magze (CPE likely wp-content/plugins/magze or similar WordPress plugin path) fails to implement a whitelist of allowed files or properly escape/validate the filename parameter before passing it to include/require statements, creating a direct path to local file access.

RemediationAI

Immediate actions: (1) Update Magze plugin to version 1.0.10 or later if available (check WordPress plugin repository or Unfoldwp website directly). (2) If no patch is available, disable or remove Magze until patched. (3) Temporary mitigation (if patching is delayed): Implement PHP-level restrictions via php.ini: set open_basedir to restrict file access, disable dangerous functions (include, require) if feasible, or use disable_functions directive to limit exploitation paths. (4) Web server level: Configure Apache/Nginx to prevent inclusion of sensitive files (e.g., deny access to /var/log, /proc). (5) Monitor access logs for patterns like '../', 'etc/passwd', or repeated failed includes. (6) Long-term: Unfoldwp must implement input validation (whitelist allowed filenames), use basename() to prevent directory traversal, and perform code review of all include/require statements. Contact Unfoldwp support for patch timeline and advisory if not publicly available.

Share

CVE-2025-49282 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy