CVE-2025-25109 is a Local File Inclusion (LFI) vulnerability found in the JoomSky WP Vehicle Manager WordPress plugin, specifically in versions up to 3.1. The vulnerability arises from improper validation and control over the filename parameter used in PHP include or require statements. This flaw allows an attacker to manipulate the input to include arbitrary files from the local filesystem on the web server. By exploiting this, an attacker can execute arbitrary PHP code if they can upload malicious files or read sensitive files such as configuration files containing credentials. The vulnerability is classified as an improper control of filename for include/require statements, a common PHP security issue. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability was reserved in early February 2025 and published in March 2025. The plugin is widely used in WordPress sites that manage vehicle listings, making it a target for attackers seeking to compromise automotive-related websites or gain footholds in WordPress environments. The lack of authentication requirement for exploitation increases the attack surface significantly. The vulnerability can lead to remote code execution, data disclosure, and potential full server compromise if exploited successfully.

The impact of this vulnerability is significant for organizations using the affected WP Vehicle Manager plugin. Successful exploitation can lead to remote code execution on the web server, allowing attackers to execute arbitrary PHP code, potentially leading to full server compromise. This can result in data theft, website defacement, installation of backdoors, or pivoting to internal networks. Confidentiality is at risk due to possible exposure of sensitive files such as database credentials or configuration files. Integrity and availability can also be compromised by malicious modifications or denial of service attacks. Since the vulnerability does not require authentication, any attacker with network access to the vulnerable WordPress site can attempt exploitation. This increases the risk for publicly accessible websites. Organizations relying on this plugin for vehicle management, especially in sectors like automotive sales, rentals, or fleet management, face operational disruption and reputational damage if exploited.

To mitigate this vulnerability, organizations should immediately identify if they are using the JoomSky WP Vehicle Manager plugin version 3.1 or earlier. Until a patch is released, the safest approach is to disable or uninstall the plugin to eliminate the attack vector. Monitor official JoomSky channels and security advisories for patch releases and apply updates promptly once available. Implement web application firewalls (WAFs) with rules to detect and block suspicious include/require parameter manipulations. Restrict file permissions on the web server to limit access to sensitive files and directories, reducing the impact of potential LFI exploitation. Conduct regular security audits and vulnerability scans on WordPress installations and plugins. Employ network segmentation and least privilege principles to limit attacker movement if compromise occurs. Additionally, monitor logs for unusual file access patterns indicative of LFI attempts.