プラットフォーム
wordpress
コンポーネント
wp-last-modified-info
修正版
1.9.5
CVE-2025-52756 describes a Remote Code Execution (RCE) vulnerability within the WP Last Modified Info plugin for WordPress. This flaw, categorized as Code Injection, allows attackers to achieve Remote Code Inclusion, potentially leading to complete system compromise. The vulnerability impacts versions from 0.0.0 through 1.9.4, and a patch is available in version 1.9.5.
The primary impact of CVE-2025-52756 is the ability for an attacker to execute arbitrary code on a WordPress-powered website. Successful exploitation allows for Remote Code Inclusion (RCI), effectively granting the attacker control over the server's execution environment. This can lead to data breaches, website defacement, malware installation, and potentially, lateral movement within the network if the web server has access to other resources. The Code Injection nature of the vulnerability suggests a relatively straightforward exploitation path, potentially making it attractive to a wide range of attackers.
CVE-2025-52756 was publicly disclosed on 2025-10-22. The vulnerability's nature (RCE via Code Injection) suggests a potentially high probability of exploitation, especially given the widespread use of WordPress plugins. There is currently no indication of active exploitation campaigns or a listing on CISA KEV, but the ease of exploitation could change this. Public proof-of-concept code is likely to emerge.
Websites using the WP Last Modified Info plugin, particularly those running older, unpatched versions (0.0.0–1.9.4), are at significant risk. Shared hosting environments are especially vulnerable, as they often have limited control over plugin updates and security configurations. WordPress installations with weak security practices, such as default user credentials or outdated core software, are also at increased risk.
• wordpress / composer / npm:
grep -r "wp-last-modified-info" /var/www/html/• wordpress / composer / npm:
wp plugin list --status=inactive | grep wp-last-modified-info• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status wp-last-modified-info• wordpress / composer / npm:
wp plugin list --alldisclosure
エクスプロイト状況
EPSS
0.04% (12% パーセンタイル)
CISA SSVC
CVSS ベクトル
The most effective mitigation for CVE-2025-52756 is to immediately upgrade the WP Last Modified Info plugin to version 1.9.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin. As a secondary measure, implement strict file access controls on the WordPress server to limit the attacker's ability to upload and execute malicious code. Web Application Firewall (WAF) rules can be configured to detect and block attempts to include external files, although this is not a substitute for patching. After upgrading, verify the fix by attempting to access the plugin's functionality and confirming that no unexpected code execution occurs.
バージョン 1.9.5、またはそれ以降の修正バージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-52756 is a Remote Code Execution vulnerability in the WP Last Modified Info plugin for WordPress, allowing attackers to execute arbitrary code through Code Injection.
You are affected if you are using WP Last Modified Info versions 0.0.0 through 1.9.4. Upgrade immediately to mitigate the risk.
Upgrade the WP Last Modified Info plugin to version 1.9.5 or later. If immediate upgrade is not possible, disable the plugin temporarily.
There is currently no confirmed active exploitation, but the vulnerability's nature suggests a high probability of exploitation.
Refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。