CVE-2025-52708
BaseFortify
Publication date: 2025-06-20
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Local File Inclusion (LFI) issue in the WordPress HUSKY plugin up to version 1.3.7. It allows an attacker with at least Contributor-level privileges to include and display local files from the target website. These files may contain sensitive information such as database credentials, which could lead to further compromise of the site. The vulnerability arises from improper control of filenames used in include/require statements in PHP. [1]
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can access and display local files on the server, potentially exposing sensitive data like database credentials. This could enable a full database takeover depending on the site's configuration, leading to data breaches, site defacement, or further exploitation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress HUSKY plugin version installed is 1.3.7 or earlier, as these versions are affected. Additionally, monitoring for unusual file inclusion attempts or suspicious HTTP requests that try to include local files via the plugin could indicate exploitation attempts. Specific commands are not provided in the resources, but verifying the plugin version can be done via WordPress admin or by checking the plugin files. Network monitoring tools could be used to detect suspicious requests targeting the plugin's include/require functionality. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the WordPress HUSKY plugin to version 1.3.7.1 or later, where the vulnerability is fixed. Alternatively, applying virtual patching (vPatching) offered by Patchstack can automatically protect vulnerable installations before official patches are applied. Restricting user privileges to prevent attackers from gaining Contributor-level access can also reduce risk. [1]