How to fix CVE-2025-64284?

Within 24 hours: Disable or remove Majestic Support plugin versions ≤1.0.7 from all WordPress installations, or restrict authenticated user access to administrator-only accounts pending vendor patch. Within 7 days: Audit plugin usage across all WordPress sites; identify any sites currently running affected versions and document access logs for users with authenticated credentials. Within 30 days: Monitor vendor advisory (Patchstack tracking) for patch release to version 1.0.8 or later; deploy patch immediately upon availability and verify all low-privilege user accounts for unauthorized file access.

Is PHP affected by CVE-2025-64284?

The Majestic Support WordPress plugin (versions ≤1.0.7) contains a local file inclusion vulnerability that allows authenticated users with low-level privileges to access and execute arbitrary PHP files, potentially compromising website confidentiality, integrity, and availability.

CVE-2025-64284

HIGH

2025-10-29 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Oct 29, 2025 - 09:15 nvd

HIGH 7.5

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Majestic Support Majestic Support majestic-support allows PHP Local File Inclusion.This issue affects Majestic Support: from n/a through <= 1.0.7.

Analysis

Local file inclusion in Majestic Support WordPress plugin versions ≤1.0.7 allows authenticated attackers with low-level privileges to include arbitrary PHP files from the server filesystem via improper filename control in include/require statements. With CVSS 7.5 (High), the vulnerability requires high attack complexity but can lead to complete confidentiality, integrity, and availability compromise. EPSS score of 0.10% (28th percentile) suggests low probability of mass exploitation. No public exploit code identified and not present in CISA KEV at time of analysis, though Patchstack tracking indicates vendor awareness.

Technical Context

This is a PHP Local File Inclusion (LFI) vulnerability arising from CWE-98 (Improper Control of Filename for Include/Require Statement). Despite the CVE description mentioning 'PHP Remote File Inclusion', the technical details and Patchstack reference confirm this as an LFI issue. The vulnerability occurs when the Majestic Support WordPress plugin fails to properly sanitize user-controlled input before passing it to PHP's include() or require() functions. Attackers can manipulate file path parameters to traverse the filesystem and include local files, potentially including configuration files containing credentials, log files with sensitive data, or specially-crafted files that execute arbitrary PHP code. The affected product is the Majestic Support plugin for WordPress, a customer support ticketing system. The high attack complexity (AC:H) suggests the vulnerability may require specific conditions such as particular file structures, writable directories, or chained exploitation techniques to achieve meaningful impact.

Affected Products

The vulnerability affects Majestic Support plugin for WordPress in all versions from earliest release through version 1.0.7 inclusive. Majestic Support is a customer support and ticketing system plugin for WordPress websites. According to the Patchstack database reference, the vulnerability was addressed in version 1.1.1, indicating all versions prior to and including 1.0.7 remain vulnerable. Organizations running WordPress sites with this plugin installed should verify their installed version immediately. The specific CPE or detailed version enumeration data was not provided in the vulnerability disclosure, but the version range is definitively established as ≤1.0.7 affected, ≥1.1.1 patched.

Remediation

Immediately upgrade Majestic Support plugin to version 1.1.1 or later, which addresses this local file inclusion vulnerability according to Patchstack's vulnerability database. WordPress administrators should navigate to the Plugins section of their WordPress admin dashboard, locate Majestic Support, and update to the latest available version. If immediate patching is not feasible, implement compensating controls including restricting plugin access to only fully-trusted administrator accounts, reviewing user permission levels to minimize accounts with low-privilege authenticated access, implementing web application firewall rules to detect path traversal patterns in requests to the plugin, and monitoring server logs for suspicious file access patterns. Complete vulnerability details and remediation guidance are available in the Patchstack database at https://patchstack.com/database/Wordpress/Plugin/majestic-support/vulnerability/wordpress-majestic-support-plugin-1-1-1-local-file-inclusion-vulnerability. Organizations should also audit whether sensitive files (configuration files, logs, upload directories) are accessible via the web server and implement appropriate filesystem permissions to limit damage potential from LFI attacks.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2025-64284 vulnerability details – vuln.today

Back

CVE-2025-64284

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-64284

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code