CVE-2025-26979 identifies a Local File Inclusion (LFI) vulnerability in the Aman Funnel Builder by FunnelKit WordPress plugin, specifically in versions up to 3.9.0. The vulnerability stems from improper control over the filename parameter used in PHP include or require statements, which allows an attacker to manipulate the input and cause the application to include unintended local files. This can lead to disclosure of sensitive files such as configuration files, source code, or credentials stored on the server. While the description mentions 'PHP Remote File Inclusion,' the actual issue is a Local File Inclusion, which is generally easier to exploit when combined with other vulnerabilities or misconfigurations. The plugin is widely used for building sales funnels within WordPress, making it a valuable target for attackers aiming to compromise websites or steal data. No CVSS score has been assigned yet, and no known exploits have been reported in the wild, but the vulnerability is publicly disclosed and should be addressed promptly. The root cause is insufficient input validation or sanitization of the filename parameter before it is passed to PHP's include/require functions. Attackers can craft requests that manipulate this parameter to include arbitrary files from the server's filesystem. This can lead to information disclosure, and in some cases, if the attacker can upload files or leverage other vulnerabilities, it may lead to remote code execution. The vulnerability affects all versions up to and including 3.9.0, and no patch links are currently provided, indicating that a fix may be forthcoming or under development. Organizations using this plugin should monitor vendor advisories closely and prepare to update as soon as a patch is available.

The primary impact of CVE-2025-26979 is the potential exposure of sensitive local files on web servers running vulnerable versions of the Funnel Builder by FunnelKit plugin. This can lead to leakage of configuration files, database credentials, or other sensitive information that attackers can use to escalate privileges or further compromise the system. In worst-case scenarios, if combined with other vulnerabilities such as file upload flaws or weak permissions, attackers could achieve remote code execution, leading to full system compromise. The vulnerability affects the confidentiality and integrity of affected systems and can disrupt availability if exploited to execute malicious code or cause application failures. Given the plugin's use in e-commerce and marketing funnel websites, exploitation could result in data breaches, loss of customer trust, financial damage, and regulatory penalties. The ease of exploitation without authentication and lack of user interaction requirements increase the risk, especially for publicly accessible websites. Organizations worldwide using this plugin in their WordPress environments are at risk until patched.

1. Monitor official FunnelKit and Aman vendor channels for security advisories and apply patches immediately once released. 2. In the interim, restrict access to the vulnerable plugin files using web server configuration (e.g., .htaccess rules) to block unauthorized requests targeting include parameters. 3. Employ a Web Application Firewall (WAF) with rules to detect and block suspicious file inclusion attempts and malicious input patterns targeting PHP include/require functions. 4. Conduct thorough input validation and sanitization on all user-supplied parameters, especially those used in file operations, to prevent manipulation. 5. Limit the PHP include paths to trusted directories only, using PHP configuration directives such as open_basedir to restrict file system access. 6. Regularly audit and monitor web server logs for unusual requests or errors related to file inclusion. 7. Educate development teams on secure coding practices to avoid similar vulnerabilities in custom plugins or themes. 8. Consider isolating critical web applications in segmented environments to limit the blast radius of potential exploitation.