CVE-2025-47440 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP applications. Specifically, this vulnerability affects the WPAdverts plugin developed by Greg Winiarski, versions up to and including 2.2.2. The flaw allows an attacker to perform a PHP Local File Inclusion (LFI) attack by manipulating the filename parameter used in include or require statements without proper validation or sanitization. This can lead to the inclusion and execution of arbitrary local files on the server. The vulnerability has a CVSS v3.1 base score of 7.5, indicating a high level of risk. The vector string (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) shows that the attack can be performed remotely over the network (AV:N) but requires high attack complexity (AC:H) and low privileges (PR:L), with no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), meaning an attacker could potentially read sensitive files, modify server files, and disrupt service availability. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. The vulnerability arises because the plugin does not properly control or sanitize the input used in PHP include or require statements, allowing malicious actors to specify local files to be included and executed by the PHP interpreter. This can lead to remote code execution or information disclosure depending on the files included.

For European organizations using the WPAdverts plugin, particularly those running WordPress sites that rely on this plugin for classified ads or similar functionality, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive data, including configuration files, credentials, or personal data protected under GDPR. Additionally, attackers could modify website content, inject malicious code, or disrupt service availability, impacting business operations and reputation. Given the high confidentiality, integrity, and availability impact, organizations could face regulatory penalties, loss of customer trust, and operational downtime. The requirement for low privileges means that even users with limited access could potentially exploit this vulnerability, increasing the attack surface. The high attack complexity somewhat reduces the likelihood of widespread exploitation but does not eliminate the risk, especially if attackers develop automated tools. The lack of user interaction requirement means attacks can be automated and executed remotely, increasing the threat level for exposed web servers.

European organizations should immediately audit their WordPress installations to identify if WPAdverts plugin versions up to 2.2.2 are in use. Until an official patch is released, organizations should consider the following mitigations: 1) Restrict access to the affected plugin files and directories via web server configuration (e.g., .htaccess rules) to prevent unauthorized HTTP requests targeting vulnerable endpoints. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests attempting to exploit file inclusion patterns. 3) Disable or restrict the use of PHP include/require statements that use user-supplied input where possible, or implement strict input validation and sanitization to allow only expected filenames. 4) Monitor server logs for unusual file access patterns or errors indicative of attempted file inclusion attacks. 5) Isolate the WordPress environment with least privilege principles, ensuring the web server user has minimal file system permissions to limit the impact of a successful exploit. 6) Prepare for rapid patch deployment once an official fix is available from the vendor. 7) Conduct regular backups and have an incident response plan in place to quickly recover from potential compromises.