CVE-2025-60076
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Jiro Sasamoto Ray Enterprise Translation lingotek-translation allows PHP Local File Inclusion.This issue affects Ray Enterprise Translation: from n/a through <= 1.7.1.
Analysis
Local file inclusion in Ray Enterprise Translation WordPress plugin (versions ≤1.7.1) allows unauthenticated remote attackers to read arbitrary files from the server. CVSS 7.5 HIGH due to network-accessible exploitation with no authentication required. EPSS score of 0.06% (20th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV); no public exploit identified at time of analysis. Despite high CVSS, real-world risk appears moderate given low EPSS and information disclosure-only impact.
Technical Context
This vulnerability stems from improper validation of file paths in PHP include/require statements (CWE-98). The plugin fails to sanitize user-controlled input used in file inclusion operations, allowing path traversal sequences to access files outside intended directories. While classified as 'PHP Remote File Inclusion' in the description, available data and Patchstack tagging confirm this is a Local File Inclusion (LFI) issue affecting WordPress installations running the lingotek-translation plugin. LFI vulnerabilities typically exploit PHP's include(), require(), include_once(), or require_once() functions when they process untrusted input without proper path canonicalization or whitelist validation. The affected component is the Ray Enterprise Translation plugin by Jiro Sasamoto, specifically versions 1.7.1 and earlier.
Affected Products
The vulnerability affects Jiro Sasamoto's Ray Enterprise Translation plugin (WordPress identifier: lingotek-translation) in all versions through 1.7.1 inclusive. This WordPress plugin provides enterprise translation management capabilities integrated with Lingotek's translation services. Organizations running WordPress installations with this plugin installed in versions 1.7.1 or earlier are vulnerable to local file inclusion attacks. The complete affected version range spans from the plugin's initial release through version 1.7.1. Detailed vulnerability information is available in the Patchstack database at https://patchstack.com/database/Wordpress/Plugin/lingotek-translation/vulnerability/wordpress-ray-enterprise-translation-plugin-1-7-1-local-file-inclusion-vulnerability?_s_id=cve.
Remediation
Immediate action required: update Ray Enterprise Translation plugin to a version newer than 1.7.1 if available from the WordPress plugin repository or the vendor. Site administrators should check the WordPress admin dashboard (Plugins section) for available updates and apply them immediately. If no patched version is available, consider disabling or removing the plugin until a fix is released, particularly on production systems handling sensitive data. As a temporary mitigation, implement web application firewall (WAF) rules to detect and block path traversal attempts containing sequences like '../' or encoded equivalents in requests to the plugin's PHP files. Review web server access logs for suspicious requests targeting the plugin directory to identify potential exploitation attempts. Consult Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/lingotek-translation/vulnerability/wordpress-ray-enterprise-translation-plugin-1-7-1-local-file-inclusion-vulnerability?_s_id=cve for additional vendor guidance and patch availability status.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today