CVE-2025-49307: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in Magazine3 WP Multilang
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Magazine3 WP Multilang wp-multilang allows PHP Local File Inclusion.This issue affects WP Multilang: from n/a through <= 2.4.19.
AI Analysis
Technical Summary
The vulnerability CVE-2025-49307 affects the Magazine3 WP Multilang plugin for WordPress, specifically versions up to 2.4.19. It arises from improper control over the filename used in PHP include or require statements, enabling PHP Local File Inclusion (LFI). This can allow an attacker with low privileges and no user interaction to execute arbitrary code or access sensitive files on the server. The CVSS 3.1 vector indicates network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation of this vulnerability can lead to local file inclusion, potentially allowing attackers to execute arbitrary PHP code, read sensitive files, or disrupt service. The impact is high across confidentiality, integrity, and availability, meaning attackers could fully compromise the affected system or application data.
Mitigation Recommendations
No official patch or remediation guidance is currently available from the vendor. Users should closely monitor Magazine3's advisories or trusted security sources for updates. Until a fix is released, consider disabling or removing the WP Multilang plugin if feasible to reduce exposure. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2025-49307: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in Magazine3 WP Multilang
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Magazine3 WP Multilang wp-multilang allows PHP Local File Inclusion.This issue affects WP Multilang: from n/a through <= 2.4.19.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2025-49307 affects the Magazine3 WP Multilang plugin for WordPress, specifically versions up to 2.4.19. It arises from improper control over the filename used in PHP include or require statements, enabling PHP Local File Inclusion (LFI). This can allow an attacker with low privileges and no user interaction to execute arbitrary code or access sensitive files on the server. The CVSS 3.1 vector indicates network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation of this vulnerability can lead to local file inclusion, potentially allowing attackers to execute arbitrary PHP code, read sensitive files, or disrupt service. The impact is high across confidentiality, integrity, and availability, meaning attackers could fully compromise the affected system or application data.
Mitigation Recommendations
No official patch or remediation guidance is currently available from the vendor. Users should closely monitor Magazine3's advisories or trusted security sources for updates. Until a fix is released, consider disabling or removing the WP Multilang plugin if feasible to reduce exposure. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-06-04T09:42:00.390Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6842ede171f4d251b5c88142
Added to database: 6/6/2025, 1:32:17 PM
Last enriched: 5/1/2026, 3:22:40 PM
Last updated: 5/9/2026, 5:03:06 AM
Views: 78
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.