CVE-2025-69375
Local File Inclusion in SolverWp Portfolio Builder
Publication date: 2026-02-20
Last updated on: 2026-02-24
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | swp-portfolio | to 1.2.5 (inc) |
| solverwp | portfolio_builder | to 1.2.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69375 is a Local File Inclusion (LFI) vulnerability in the WordPress Portfolio Builder Plugin (swp-portfolio) versions up to and including 1.2.5.
This vulnerability allows unauthenticated attackers to include and display local files from the target website by exploiting improper control of filename for include/require statements in PHP.
As a result, attackers can potentially access sensitive information stored on the server, such as database credentials.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'Exploitation of this vulnerability can lead to exposure of sensitive files and information on the affected website.'}, {'type': 'paragraph', 'content': "Depending on the website's configuration, attackers could achieve complete database takeover."}, {'type': 'paragraph', 'content': 'This poses a severe security risk with a high likelihood of exploitation, potentially compromising the confidentiality and integrity of your data.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
CVE-2025-69375 is a Local File Inclusion vulnerability in the WordPress Portfolio Builder Plugin up to version 1.2.5 that allows unauthenticated attackers to include and display local files. Detection typically involves monitoring for suspicious HTTP requests attempting to exploit the include/require statement flaw.
While no specific commands are provided in the resources, common detection methods include inspecting web server logs for unusual URL parameters that reference local files, such as requests containing file paths or attempts to include sensitive files like /etc/passwd or wp-config.php.
Network intrusion detection systems (NIDS) or web application firewalls (WAFs) can be configured to alert on patterns consistent with Local File Inclusion attacks targeting this plugin.
What immediate steps should I take to mitigate this vulnerability?
Since no official patch is currently available for CVE-2025-69375, immediate mitigation involves applying the Patchstack mitigation rule that blocks attacks targeting this Local File Inclusion vulnerability.
Users are strongly advised to implement Patchstackβs automated vulnerability mitigation and continuous security monitoring to protect their WordPress sites from exploitation.
Additionally, restricting access to the vulnerable plugin, disabling it if not in use, and monitoring for suspicious activity can help reduce risk until an official patch is released.