PHP EUVD-2025-28287

| CVE-2025-49255 HIGH
PHP Remote File Inclusion (CWE-98)
2025-06-17 [email protected]
PHP Information Disclosure
8.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-28287
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
CVE Published
Jun 17, 2025 - 15:15 nvd
HIGH 8.1

DescriptionNVD

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Ruza allows PHP Local File Inclusion. This issue affects Ruza: from n/a through 1.0.7.

AnalysisAI

PHP Local File Inclusion (LFI) vulnerability in thembay Ruza versions up to 1.0.7, stemming from improper control of filename parameters in PHP include/require statements. An unauthenticated remote attacker can exploit this vulnerability over the network to read arbitrary files from the server and potentially execute code, achieving high confidentiality, integrity, and availability impact. The CVSS score of 8.1 reflects significant risk, though the attack complexity is marked as high, suggesting exploitation may require specific conditions or user interaction timing.

Technical ContextAI

This vulnerability exploits CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), a well-known class affecting PHP applications that dynamically construct file paths passed to include(), require(), include_once(), or require_once() functions without sufficient input validation. The thembay Ruza plugin (likely a WordPress theme/plugin based on naming convention) fails to sanitize user-supplied input before using it in file inclusion operations. The PHP interpreter processes these statements at runtime; if an attacker can control the filename parameter, they can traverse directory structures (e.g., using '../' sequences) to access sensitive files outside intended directories, or in RFI variants, include remote files. The affected product is identified through vendor thembay and product Ruza with CPE identifier pattern suggesting WordPress ecosystem integration. This is distinct from RFI (Remote File Inclusion) in the description title but manifests as LFI in the actual vulnerability class.

RemediationAI

patch: Upgrade thembay Ruza to version 1.0.8 or later (specific patch version not provided in advisory; consult thembay's official repository or WordPress.org plugin/theme directory); priority: critical workaround: Implement strict input validation and sanitization for all user-supplied parameters used in file inclusion operations; use a whitelist of allowed filenames or directories rather than blacklist-based filtering; notes: If patch unavailable immediately, apply WAF rules to block '../' sequences and null byte injection attempts in GET/POST parameters suspected of feeding include statements mitigation: Restrict file system permissions on the web root; ensure PHP open_basedir directive is configured to limit PHP's file access to specific directories only; notes: Reduces impact of successful LFI by preventing traversal to sensitive system files monitoring: Monitor web server access logs for suspicious patterns: requests with '../' sequences, encoded traversal attempts (%2e%2e%2f), or parameters pointing to /etc/passwd, /etc/shadow, wp-config.php, or similar sensitive files; notes: Early detection of exploitation attempts may allow incident response before data exfiltration

Share

EUVD-2025-28287 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy