Platform
wordpress
Component
wp-review
Fixed in
5.3.6
CVE-2025-2158 is a Local File Inclusion (LFI) vulnerability affecting the WordPress Review Plugin: The Ultimate Solution for Building a Review Website plugin. This vulnerability allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server, potentially leading to code execution and data compromise. The vulnerability impacts versions 0.0.0 through 5.3.5, and a patch is expected from the plugin developer.
The primary impact of CVE-2025-2158 is the potential for arbitrary code execution on a WordPress server. An attacker, having only Contributor-level access, can leverage this LFI vulnerability to include and execute PHP code. This could involve uploading malicious PHP files and then including them through the vulnerable custom fields. Successful exploitation could lead to complete server compromise, including data theft, modification, or deletion. The attacker could also establish a persistent backdoor for future access. The ability to execute arbitrary code bypasses standard WordPress access controls, significantly expanding the attack surface. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain unauthorized access and control.
CVE-2025-2158 was publicly disclosed on 2025-05-10. The CVSS score is 8.8 (HIGH), indicating a significant risk. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's nature and ease of exploitation. The vulnerability is not currently listed on the CISA KEV catalog, but its high severity warrants monitoring. Active exploitation campaigns are possible, particularly targeting WordPress sites with unpatched plugins.
Exploit Status
EPSS
0.52% (67% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2158 is to upgrade the WordPress Review Plugin to a patched version as soon as it becomes available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, restrict file upload permissions to prevent attackers from uploading malicious PHP files. Implement strict input validation and sanitization on all custom fields to prevent malicious code from being injected. Monitor WordPress logs for suspicious file inclusion attempts. If a rollback is necessary due to a breaking upgrade, revert to a previous, unvulnerable version of the plugin and immediately apply the recommended mitigations.
Actualice el plugin WordPress Review Plugin: The Ultimate Solution for Building a Review Website a la última versión disponible para solucionar esta vulnerabilidad de inclusión de archivos locales. Verifique que los permisos de los archivos y directorios sean los adecuados para evitar accesos no autorizados. Considere deshabilitar la ejecución de PHP en directorios donde no sea necesaria.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2158 is a Local File Inclusion vulnerability in the WordPress Review Plugin, allowing authenticated attackers to execute arbitrary files.
You are affected if you are using WordPress Review Plugin versions 0.0.0 through 5.3.5.
Upgrade to a patched version of the WordPress Review Plugin as soon as it is available. Disable the plugin as a temporary workaround.
While not confirmed, active exploitation is possible due to the vulnerability's high severity and ease of exploitation.
Refer to the WordPress Review Plugin developer's website and the WordPress security announcements page for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.