CVE-2025-2158 is a high-severity vulnerability affecting the WordPress Review Plugin: The Ultimate Solution for Building a Review Website, developed by mythemeshop. This vulnerability is classified as CWE-22, indicating an improper limitation of a pathname to a restricted directory, commonly known as a path traversal flaw. The issue exists in all versions up to and including 5.3.5 of the plugin. The vulnerability allows authenticated attackers with Contributor-level privileges or higher to exploit a Local File Inclusion (LFI) flaw via the Post custom fields functionality. By manipulating these fields, an attacker can include arbitrary files from the server into the execution context of the plugin. If the attacker can upload PHP files or if certain server configurations are enabled (such as pearcmd and register_argc_argv), this can lead to remote code execution (RCE). The exploitation does not require user interaction beyond authentication, and the attack vector is network-based, making it accessible remotely. The vulnerability impacts confidentiality, integrity, and availability, as attackers can bypass access controls, access sensitive data, and execute arbitrary code on the server. The CVSS v3.1 base score is 8.8, reflecting the high impact and relatively low attack complexity. No known exploits are currently reported in the wild, but the presence of this vulnerability in a widely used WordPress plugin poses a significant risk, especially since Contributor-level access is often granted to trusted users or external content creators. The vulnerability highlights the importance of proper input validation and path sanitization in web applications, particularly in plugins that handle file inclusions based on user input.

For European organizations using WordPress websites with this plugin installed, the impact can be severe. Exploitation could lead to unauthorized disclosure of sensitive information, including internal documents or user data stored on the server. Attackers could also achieve full code execution, enabling them to implant backdoors, deface websites, or pivot to other internal systems. This is particularly critical for organizations in regulated sectors such as finance, healthcare, and government, where data breaches can lead to regulatory penalties under GDPR and damage to reputation. The ease of exploitation by users with Contributor-level access means that insider threats or compromised accounts could be leveraged to launch attacks. Additionally, the widespread use of WordPress in Europe for business and governmental websites increases the attack surface. The ability to bypass access controls and execute arbitrary PHP code can also facilitate ransomware deployment or other malware infections, impacting availability and business continuity.

1. Immediate upgrade: Organizations should update the WordPress Review Plugin to a patched version once released by mythemeshop. Until then, consider disabling or uninstalling the plugin if it is not essential. 2. Access control review: Restrict Contributor-level permissions to trusted users only and audit existing users for unnecessary privileges. 3. Web application firewall (WAF): Deploy and configure a WAF with rules to detect and block path traversal and LFI attempts targeting this plugin’s endpoints. 4. Server hardening: Disable unnecessary PHP functions such as pearcmd and ensure register_argc_argv is disabled unless explicitly required. 5. File upload restrictions: Enforce strict file type validation and scanning on uploads to prevent PHP or other executable files from being uploaded. 6. Monitoring and logging: Enable detailed logging of plugin usage and file inclusion attempts to detect suspicious activity early. 7. Incident response readiness: Prepare to isolate affected systems and conduct forensic analysis if exploitation is suspected. 8. Code review and sandboxing: For organizations developing custom plugins or themes, implement secure coding practices and sandbox file inclusion mechanisms to prevent similar vulnerabilities.