How to fix CVE-2025-49921?

Within 24 hours: Audit all WordPress installations for Crocoblock JetReviews plugin presence and current version using WordPress admin dashboard or WP-CLI (wp plugin list). Within 7 days: Update Crocoblock JetReviews to version 3.0.1 or later if available from the vendor, or disable/remove the plugin if no patched version is released. Within 30 days: Implement Web Application Firewall (WAF) rules to block file inclusion patterns targeting wp-content/plugins/jetreviews/ paths, and conduct log review for any suspicious file-read attempts during the vulnerability window.

Is PHP affected by CVE-2025-49921?

CVE-2025-49921 is a local file inclusion vulnerability in Crocoblock JetReviews WordPress plugin (versions ≤3.0.0) that allows unauthenticated attackers to read arbitrary files from affected servers.

CVE-2025-49921

HIGH

2025-10-22 [email protected]

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Oct 22, 2025 - 15:15 nvd

HIGH 7.3

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Crocoblock JetReviews jet-reviews allows PHP Local File Inclusion.This issue affects JetReviews: from n/a through <= 3.0.0.

Analysis

Local file inclusion vulnerability in Crocoblock JetReviews WordPress plugin (versions ≤3.0.0) allows unauthenticated remote attackers to read arbitrary files from the server filesystem via improper filename control in PHP include/require statements. The vulnerability carries moderate real-world risk with EPSS exploitation probability of 0.13% (33rd percentile), indicating relatively low attacker interest despite the network-accessible attack vector requiring no privileges. No public exploit identified at time of analysis, and no active exploitation confirmed.

Technical Context

This vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement), a class of PHP code injection flaws where user-controlled input influences file paths passed to include(), require(), or similar PHP language constructs. Despite the CVE description mentioning 'PHP Remote File Inclusion' in the title, the actual classification and tags indicate Local File Inclusion (LFI), which restricts attackers to reading files already present on the server rather than executing arbitrary remote code. The JetReviews plugin, developed by Crocoblock for WordPress review management functionality, fails to properly sanitize or validate filename parameters before using them in file inclusion operations. This allows path traversal sequences (e.g., '../../../') to escape intended directories and access sensitive configuration files, credentials, or application source code. The vulnerability was identified by Patchstack security researchers through their WordPress plugin audit program.

Affected Products

The vulnerability affects Crocoblock JetReviews plugin for WordPress, specifically all versions from the initial release through version 3.0.0 inclusive. JetReviews is a commercial WordPress plugin providing advanced review management, ratings display, and testimonial functionality for WooCommerce and custom post types. Organizations using JetReviews ≤3.0.0 in their WordPress installations should consider themselves affected. The vendor Crocoblock markets this as part of their suite of Elementor-compatible plugins, primarily targeting e-commerce and business websites requiring customer review capabilities. Detailed technical analysis and vulnerability confirmation is available in the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/jet-reviews/vulnerability/wordpress-jetreviews-plugin-3-0-0-local-file-inclusion-vulnerability.

Remediation

Organizations should immediately upgrade JetReviews to a patched version newer than 3.0.0 if available from Crocoblock. Check the official Crocoblock website or WordPress plugin repository for the latest secure release addressing this LFI vulnerability. If an updated version is not yet released or deployment is delayed, implement compensating controls including: restricting wp-admin access to trusted IP addresses via web application firewall rules, enabling PHP open_basedir restrictions to limit file access scope, deploying web application firewall rules to block path traversal patterns in HTTP requests, and conducting file integrity monitoring to detect unauthorized access to sensitive configuration files. Review web server access logs for suspicious requests containing '../' sequences or attempts to access wp-config.php and other sensitive files. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/jet-reviews/vulnerability/wordpress-jetreviews-plugin-3-0-0-local-file-inclusion-vulnerability for additional vendor-specific guidance. If JetReviews is not actively used, consider disabling or removing the plugin entirely until a confirmed patch is deployed.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: 0

CVE-2025-49921 vulnerability details – vuln.today

Back

CVE-2025-49921

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-49921

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code