CVE-2025-49282: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in Unfoldwp Magze
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magze allows PHP Local File Inclusion. This issue affects Magze: from n/a through 1.0.9.
AI Analysis
Technical Summary
CVE-2025-49282 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the Unfoldwp Magze product, versions up to and including 1.0.9. The flaw allows for PHP Local File Inclusion (LFI), where an attacker can manipulate the filename parameter in include or require statements to execute arbitrary local files on the server. This can lead to remote code execution if an attacker can control or upload files to the server, or can be leveraged to disclose sensitive information by including configuration files, logs, or other sensitive data. The CVSS v3.1 base score is 8.1, indicating a high impact on confidentiality, integrity, and availability, with network attack vector, high attack complexity, no privileges required, and no user interaction needed. The vulnerability is exploitable remotely over the network but requires high complexity, likely due to input validation or environment constraints. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability arises from insufficient validation or sanitization of user-supplied input used in PHP include/require statements, allowing attackers to specify unintended files for inclusion. This can lead to full compromise of the affected web server and potentially the underlying network if exploited successfully.
Potential Impact
For European organizations using the Unfoldwp Magze product, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized disclosure of sensitive data, including customer information, intellectual property, or internal configuration files. It could also allow attackers to execute arbitrary code on the web server, leading to full system compromise, data tampering, or service disruption. This is particularly critical for organizations in sectors such as finance, healthcare, government, and critical infrastructure, where data confidentiality and service availability are paramount. Given the network-based attack vector and no requirement for authentication or user interaction, attackers can remotely exploit vulnerable systems without insider access, increasing the threat surface. The high attack complexity may limit widespread exploitation but does not eliminate the risk, especially from skilled threat actors. Additionally, exploitation could be used as a foothold for lateral movement within corporate networks, increasing the overall impact on organizational security posture.
Mitigation Recommendations
European organizations should immediately identify any deployments of Unfoldwp Magze, especially versions up to 1.0.9, and prioritize their remediation. Since no official patches are currently linked, organizations should implement the following mitigations: 1) Apply strict input validation and sanitization on all user-supplied parameters that influence file inclusion, ensuring only allowed filenames or paths are accepted. 2) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious include/require parameter manipulations indicative of LFI attempts. 3) Restrict PHP configuration settings such as 'allow_url_include' to 'Off' and disable dangerous functions if possible. 4) Implement least privilege principles on the web server file system to limit accessible files and directories, reducing the impact of file inclusion. 5) Monitor logs for unusual file access patterns or errors related to include/require statements. 6) Prepare for patch deployment by closely monitoring vendor advisories and applying updates as soon as they become available. 7) Conduct regular security assessments and code reviews focusing on file inclusion logic in web applications. These targeted actions go beyond generic advice by focusing on the specific nature of the vulnerability and the affected product.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-49282: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in Unfoldwp Magze
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magze allows PHP Local File Inclusion. This issue affects Magze: from n/a through 1.0.9.
AI-Powered Analysis
Technical Analysis
CVE-2025-49282 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the Unfoldwp Magze product, versions up to and including 1.0.9. The flaw allows for PHP Local File Inclusion (LFI), where an attacker can manipulate the filename parameter in include or require statements to execute arbitrary local files on the server. This can lead to remote code execution if an attacker can control or upload files to the server, or can be leveraged to disclose sensitive information by including configuration files, logs, or other sensitive data. The CVSS v3.1 base score is 8.1, indicating a high impact on confidentiality, integrity, and availability, with network attack vector, high attack complexity, no privileges required, and no user interaction needed. The vulnerability is exploitable remotely over the network but requires high complexity, likely due to input validation or environment constraints. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability arises from insufficient validation or sanitization of user-supplied input used in PHP include/require statements, allowing attackers to specify unintended files for inclusion. This can lead to full compromise of the affected web server and potentially the underlying network if exploited successfully.
Potential Impact
For European organizations using the Unfoldwp Magze product, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized disclosure of sensitive data, including customer information, intellectual property, or internal configuration files. It could also allow attackers to execute arbitrary code on the web server, leading to full system compromise, data tampering, or service disruption. This is particularly critical for organizations in sectors such as finance, healthcare, government, and critical infrastructure, where data confidentiality and service availability are paramount. Given the network-based attack vector and no requirement for authentication or user interaction, attackers can remotely exploit vulnerable systems without insider access, increasing the threat surface. The high attack complexity may limit widespread exploitation but does not eliminate the risk, especially from skilled threat actors. Additionally, exploitation could be used as a foothold for lateral movement within corporate networks, increasing the overall impact on organizational security posture.
Mitigation Recommendations
European organizations should immediately identify any deployments of Unfoldwp Magze, especially versions up to 1.0.9, and prioritize their remediation. Since no official patches are currently linked, organizations should implement the following mitigations: 1) Apply strict input validation and sanitization on all user-supplied parameters that influence file inclusion, ensuring only allowed filenames or paths are accepted. 2) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious include/require parameter manipulations indicative of LFI attempts. 3) Restrict PHP configuration settings such as 'allow_url_include' to 'Off' and disable dangerous functions if possible. 4) Implement least privilege principles on the web server file system to limit accessible files and directories, reducing the impact of file inclusion. 5) Monitor logs for unusual file access patterns or errors related to include/require statements. 6) Prepare for patch deployment by closely monitoring vendor advisories and applying updates as soon as they become available. 7) Conduct regular security assessments and code reviews focusing on file inclusion logic in web applications. These targeted actions go beyond generic advice by focusing on the specific nature of the vulnerability and the affected product.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-06-04T09:41:31.235Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68487f5a1b0bd07c3938b46c
Added to database: 6/10/2025, 6:54:18 PM
Last enriched: 7/10/2025, 10:46:59 PM
Last updated: 8/3/2025, 12:17:35 AM
Views: 17
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.