Plattform
wordpress
Komponente
wp-review
Behoben in
5.3.6
CVE-2025-2158 is a Local File Inclusion (LFI) vulnerability affecting the WordPress Review Plugin: The Ultimate Solution for Building a Review Website plugin. This vulnerability allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server, potentially leading to code execution and data compromise. The vulnerability impacts versions 0.0.0 through 5.3.5, and a patch is expected from the plugin developer.
The impact of this LFI vulnerability is significant. An attacker can leverage it to execute arbitrary PHP code on the server, effectively gaining control over the WordPress site. This could lead to data breaches, website defacement, malware injection, or complete server compromise. The ability to include arbitrary files means an attacker could potentially access sensitive configuration files, database credentials, or other critical data. If the server allows PHP file uploads and inclusion, or if pearcmd is enabled, the attack surface expands considerably, allowing for more sophisticated exploitation techniques.
This vulnerability was publicly disclosed on 2025-05-10. The ease of exploitation, combined with the plugin's popularity, suggests a potential for widespread exploitation. While no public proof-of-concept (PoC) has been observed yet, the LFI nature of the vulnerability makes it relatively straightforward to exploit. It is not currently listed on the CISA KEV catalog, but its high CVSS score warrants monitoring.
WordPress websites utilizing the 'WordPress Review Plugin: The Ultimate Solution for Building a Review Website' plugin, particularly those running versions 0.0.0 through 5.3.5, are at risk. Shared hosting environments where users have Contributor-level access are especially vulnerable, as they provide the necessary authentication to exploit the vulnerability. Sites with weak file upload permissions are also at increased risk.
• wordpress / composer / npm:
grep -r "wp_query_vars['post_type']" /var/www/html/wp-content/plugins/the-ultimate-review-plugin-for-wordpress/• wordpress / composer / npm:
wp plugin list | grep "The Ultimate Solution for Building a Review Website"• wordpress / composer / npm:
find /var/www/html/wp-content/uploads/ -name '*.php' -type f -mtime -7disclosure
Exploit-Status
EPSS
0.52% (67% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-2158 is to upgrade to a patched version of the WordPress Review Plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to block requests containing suspicious file paths or patterns that could be exploited for LFI. Additionally, restrict file upload permissions and disable pearcmd if it's not essential. Regularly scan your WordPress installation for vulnerable plugins using security scanning tools. After upgrade, confirm the vulnerability is resolved by attempting to access a non-existent PHP file through the vulnerable parameter.
Actualice el plugin WordPress Review Plugin: The Ultimate Solution for Building a Review Website a la última versión disponible para solucionar esta vulnerabilidad de inclusión de archivos locales. Verifique que los permisos de los archivos y directorios sean los adecuados para evitar accesos no autorizados. Considere deshabilitar la ejecución de PHP en directorios donde no sea necesaria.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-2158 is a Local File Inclusion vulnerability in the WordPress Review Plugin, allowing authenticated attackers to execute arbitrary files.
You are affected if you are using WordPress Review Plugin versions 0.0.0 through 5.3.5.
Upgrade to a patched version of the WordPress Review Plugin as soon as it is available. Disable the plugin as a temporary workaround.
While not confirmed, active exploitation is possible due to the vulnerability's high severity and ease of exploitation.
Refer to the WordPress Review Plugin developer's website and the WordPress security announcements page for updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.