CVE-2025-49307
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Local File Inclusion (LFI) issue in the WordPress WP Multilang plugin up to version 2.4.19. It allows an attacker with contributor-level privileges to include and display local files from the target website. This can expose sensitive information such as database credentials and potentially lead to a complete database takeover depending on the website's configuration. [1]
How can this vulnerability impact me? :
The vulnerability can expose sensitive information from your website, including database credentials. If exploited, it could lead to a complete takeover of your database, compromising the confidentiality, integrity, and availability of your data and services. This could disrupt your website operations and lead to data breaches. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WP Multilang plugin version is 2.4.19 or earlier, as these versions are vulnerable. Additionally, monitoring for unusual file inclusion attempts or unexpected access to local files via contributor-level accounts may indicate exploitation. Specific commands are not provided in the resources, but typical approaches include scanning the plugin version via WordPress admin or using vulnerability scanners that detect Local File Inclusion issues. Monitoring web server logs for suspicious include/require requests may also help. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WP Multilang plugin to version 2.4.19.1 or later, where the vulnerability is fixed. Alternatively, applying virtual patching (vPatching) offered by Patchstack can auto-mitigate this vulnerability before official patches are applied. It is also recommended to restrict contributor-level privileges and monitor for any signs of compromise. If a compromise is suspected, professional incident response services should be engaged. [1]