Description
The WordPress Review Plugin: The Ultimate Solution for Building a Review Website plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.3.5 via the Post custom fields. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP file types can be uploaded and included, or pearcmd is enabled on a server with register_argc_argv also enabled.
Published: 2025-05-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution via Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The WordPress Review Plugin: The Ultimate Solution for Building a Review Website contains a local file inclusion flaw in all versions up to 5.3.5, enabling authenticated users with at least Contributor privileges to include and execute arbitrary files on the server. This permits code execution, enabling attackers to bypass existing access controls, exfiltrate data or leverage uploaded PHP files for further compromise. The vulnerability is an example of improper validation of file paths, classified as CWE-22.

Affected Systems

The flaw affects the WordPress Review Plugin by the mythemeshop vendor, specifically all releases 5.3.5 and earlier. Users running these plugin versions on any WordPress site are impacted.

Risk and Exploitability

The CVSS score of 8.8 reflects a severe risk, but the EPSS of < 1% indicates that exploitation is considered unlikely at the moment. The vulnerability is not listed in the CISA KEV catalog, so there is no evidence of known widespread active exploitation. The likely attack vector is as follows: an adversary authenticates to the WordPress dashboard with Contributor or higher rights and manipulates post custom fields to supply a file path that is then resolved by the plugin, resulting in PHP code execution. Because the flaw relies on valid authentication, the threat surface is limited to compromised or stolen credentials.

Generated by OpenCVE AI on April 22, 2026 at 01:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Review Plugin to a newer version where the LFI bug has been fixed.
  • If an upgrade is not feasible, disable the plugin’s inclusion of post custom fields from untrusted content or change file permissions to prevent execution.
  • Ensure that the WordPress upload directory does not allow PHP execution by disabling PHP or setting appropriate .htaccess rules.

Generated by OpenCVE AI on April 22, 2026 at 01:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14226 The WordPress Review Plugin: The Ultimate Solution for Building a Review Website plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.3.5 via the Post custom fields. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP file types can be uploaded and included, or pearcmd is enabled on a server with register_argc_argv also enabled.
History

Mon, 12 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 10 May 2025 09:30:00 +0000

Type Values Removed Values Added
Description The WordPress Review Plugin: The Ultimate Solution for Building a Review Website plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.3.5 via the Post custom fields. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP file types can be uploaded and included, or pearcmd is enabled on a server with register_argc_argv also enabled.
Title WordPress Review Plugin: The Ultimate Solution for Building a Review Website <= 5.3.5 - Authenticated (Contributor+) Local File Inclusion via Post Custom Fields
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:11.837Z

Reserved: 2025-03-10T12:30:43.872Z

Link: CVE-2025-2158

cve-icon Vulnrichment

Updated: 2025-05-12T13:20:14.860Z

cve-icon NVD

Status : Deferred

Published: 2025-05-10T10:15:20.227

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2158

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:45:05Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')