PHP EUVD-2025-28454

| CVE-2025-52715 HIGH
PHP Remote File Inclusion (CWE-98)
2025-06-20 [email protected]
PHP Information Disclosure
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-28454
CVE Published
Jun 20, 2025 - 15:15 nvd
HIGH 7.5

DescriptionNVD

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Classified Listing allows PHP Local File Inclusion. This issue affects Classified Listing: from n/a through 4.2.0.

AnalysisAI

CVE-2025-52715 is a PHP Local File Inclusion (LFI) vulnerability in RadiusTheme's Classified Listing plugin that allows authenticated attackers to include and execute arbitrary local files through improper filename validation in PHP include/require statements. The vulnerability affects Classified Listing versions up to 4.2.0, and while the CVSS score of 7.5 indicates high severity, exploitation requires local authentication and non-standard attack complexity, suggesting moderate real-world risk absent evidence of active exploitation or public proof-of-concept.

Technical ContextAI

The vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement in PHP), a classic PHP application flaw where user-supplied or inadequately sanitized input is passed directly to PHP's include(), require(), include_once(), or require_once() functions. The RadiusTheme Classified Listing plugin fails to properly validate or sanitize filenames before including them in PHP statements, potentially allowing path traversal attacks (e.g., using '../' sequences) to access files outside intended directories. This is distinct from Remote File Inclusion (RFI) as described in the title—the actual vulnerability is Local File Inclusion (LFI), suggesting the plugin may be vulnerable when combined with local file access or in shared hosting environments. The affected product is a WordPress plugin, as indicated by the RadiusTheme vendor context and typical plugin version numbering schemes.

RemediationAI

Immediate actions: (1) Update RadiusTheme Classified Listing plugin to version 4.2.1 or later once released by RadiusTheme; (2) If patch unavailable, temporarily disable the Classified Listing plugin on production sites; (3) Audit file permissions to ensure non-web-accessible directories are restricted; (4) Review WordPress user roles and limit authenticated access to trusted administrators only. Long-term: (1) implement Web Application Firewall (WAF) rules to detect path traversal sequences in plugin parameters; (2) enforce PHP configuration hardening (disable_functions, open_basedir restrictions); (3) conduct code review of plugin's include/require statements to ensure input validation; (4) monitor RadiusTheme security advisories at https://radiustheme.com or via WordPress plugin security feeds. Workaround: restrict plugin functionality to administrative users only via capability checks if source code patching is feasible.

Share

EUVD-2025-28454 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy