Skip to main content

CVE-2025-4414: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in cmsmasters CMSMasters Content Composer

High
VulnerabilityCVE-2025-4414cvecve-2025-4414cwe-98
Published: Fri Jul 04 2025 (07/04/2025, 11:17:50 UTC)
Source: CVE Database V5
Vendor/Project: cmsmasters
Product: CMSMasters Content Composer

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer allows PHP Local File Inclusion. This issue affects CMSMasters Content Composer: from n/a through n/a.

AI-Powered Analysis

AILast updated: 07/04/2025, 11:43:13 UTC

Technical Analysis

CVE-2025-4414 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the CMSMasters Content Composer, a content management system plugin or component. The flaw allows for PHP Remote File Inclusion (RFI), which can enable an attacker to include and execute arbitrary PHP code from a remote location by manipulating the filename parameter used in include or require statements. Although the description mentions PHP Local File Inclusion (LFI), the core issue is improper validation or sanitization of input controlling file inclusion, which can lead to remote code execution. The CVSS 3.1 base score is 8.1, indicating a high severity, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This means the attack can be performed remotely over the network without privileges or user interaction, but requires high attack complexity. Successful exploitation impacts confidentiality, integrity, and availability severely, allowing attackers to execute arbitrary code, potentially leading to full system compromise. No specific affected versions are listed, and no patches or known exploits in the wild have been reported yet. The vulnerability was reserved in May 2025 and published in July 2025, indicating it is a recent discovery. The lack of patch links suggests that remediation may still be pending or in progress. Given the nature of CMS software and the criticality of remote code execution vulnerabilities, this issue represents a significant risk to affected systems.

Potential Impact

For European organizations using CMSMasters Content Composer, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized access to sensitive data, defacement or manipulation of web content, and disruption of services. Since CMS platforms often manage public-facing websites, successful attacks could damage organizational reputation and lead to regulatory non-compliance, especially under GDPR due to potential data breaches. The high severity and remote exploitability without authentication mean attackers can target vulnerable systems at scale. Additionally, the high attack complexity may limit opportunistic attacks but does not preclude targeted campaigns, especially against high-value targets such as government, financial institutions, or critical infrastructure operators in Europe. The absence of known exploits in the wild currently reduces immediate risk but also implies that organizations should act proactively before exploitation becomes widespread.

Mitigation Recommendations

Organizations should immediately inventory their web assets to identify any deployments of CMSMasters Content Composer. Given the lack of available patches, temporary mitigations include restricting access to the vulnerable component via web application firewalls (WAFs) with rules blocking suspicious include/require parameter patterns, and disabling remote file inclusion functionality in PHP configurations (e.g., setting 'allow_url_include' to 'Off'). Input validation and sanitization should be enforced at the application level to prevent malicious filename inputs. Monitoring web server and application logs for unusual requests targeting file inclusion parameters is critical for early detection. Organizations should engage with the vendor or security community to obtain patches or updates as soon as they become available and plan for rapid deployment. Additionally, implementing network segmentation and least privilege principles can limit the impact of a successful exploit.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-05-07T10:46:04.912Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6867b9f16f40f0eb72a049ef

Added to database: 7/4/2025, 11:24:33 AM

Last enriched: 7/4/2025, 11:43:13 AM

Last updated: 7/13/2025, 3:08:18 PM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats