CVE-2025-2158 is a path traversal vulnerability (CWE-22) found in the WordPress Review Plugin: The Ultimate Solution for Building a Review Website by mythemeshop, affecting all versions up to and including 5.3.5. The flaw arises from improper validation of pathname inputs in post custom fields, allowing authenticated users with Contributor-level privileges or higher to include arbitrary files from the server. This Local File Inclusion (LFI) vulnerability can lead to execution of arbitrary PHP code if an attacker can upload PHP files or if the server environment has pearcmd enabled alongside register_argc_argv, which facilitates command execution. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 8.8, reflecting its high impact on confidentiality, integrity, and availability. Exploiting this vulnerability can allow attackers to bypass access controls, read sensitive files, and execute malicious code, potentially leading to full server compromise. No official patches have been linked yet, but the vulnerability is publicly disclosed and enriched by CISA, indicating its criticality and the need for urgent mitigation.

The impact of CVE-2025-2158 is severe for organizations using the affected WordPress plugin. Attackers with relatively low privileges (Contributor-level) can escalate their access to execute arbitrary code on the web server, potentially leading to full system compromise. This can result in unauthorized access to sensitive data, defacement of websites, deployment of malware, or pivoting to internal networks. The vulnerability threatens confidentiality by exposing sensitive files, integrity by allowing code execution and modification of site content, and availability by enabling denial-of-service conditions through malicious payloads. Given WordPress's widespread use, especially in small to medium businesses and content-driven sites, exploitation could disrupt business operations and damage reputations. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for remediation, as public disclosure increases the likelihood of future exploitation.

To mitigate CVE-2025-2158, organizations should immediately upgrade the WordPress Review Plugin to a patched version once available from mythemeshop. Until a patch is released, administrators should restrict Contributor-level user capabilities to prevent file uploads or custom field modifications that could be exploited. Implementing a Web Application Firewall (WAF) with rules to detect and block path traversal attempts targeting the plugin’s endpoints can provide temporary protection. Server-side, disable pearcmd and the register_argc_argv PHP directive if not required, reducing the risk of command execution. Regularly audit user roles and permissions to minimize the number of users with Contributor or higher privileges. Additionally, monitor server logs for suspicious file inclusion attempts and unusual PHP executions. Employing strict file upload validation and limiting executable file types on the server can further reduce risk. Finally, maintain regular backups and have an incident response plan ready in case of compromise.