CVE-2025-49886
BaseFortify
Publication date: 2025-06-27
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Local File Inclusion (LFI) issue in the WordPress Zikzag Core plugin versions up to 1.4.5. It allows unauthenticated attackers to include and display local files from the target website by exploiting improper control of filenames in PHP include/require statements. This can expose sensitive information such as database credentials and potentially lead to a complete database takeover. [1]
How can this vulnerability impact me? :
The vulnerability can have severe impacts including exposure of sensitive information like database credentials, unauthorized access to local files, and potentially a complete takeover of the website's database. Since it requires no authentication to exploit, it poses a high risk and could be widely exploited, leading to data breaches and loss of control over the affected website. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for attempts to exploit the Local File Inclusion vulnerability by looking for unusual HTTP requests that include suspicious file paths or parameters targeting the Zikzag Core plugin. Network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to detect such patterns. Additionally, professional incident response and server-side malware scanning are recommended to identify compromise. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the virtual patch (vPatch) provided by Patchstack to block attacks until the plugin is updated. Users should update the Zikzag Core plugin to version 1.4.6 or later to fully resolve the issue. Patchstack also offers automatic mitigation and auto-update options. It is advised to perform professional incident response and server-side malware scanning if compromise is suspected. Avoid relying on plugin-based malware scanners as they can be tampered with by malware. [1]