CVE-2025-49921 is a vulnerability classified as improper control of filename for include/require statements in the PHP program CrocoBlock JetReviews plugin, version 3.0.0 and earlier. This vulnerability manifests as a Local File Inclusion (LFI) flaw, where the application fails to properly sanitize or restrict the filename parameter used in PHP include or require functions. As a result, an attacker can manipulate the input to include arbitrary local files from the server's filesystem. This can lead to disclosure of sensitive files (e.g., configuration files, password stores), execution of malicious code if combined with other vulnerabilities, or denial of service by including invalid or large files. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, increasing its risk profile. The CVSS 3.1 base score of 7.3 reflects a high severity, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The scope is unchanged, but the impact affects confidentiality, integrity, and availability to a limited extent. Although no public exploits have been reported yet, the vulnerability is published and should be considered a serious threat to any system running the affected JetReviews versions. CrocoBlock JetReviews is a WordPress plugin widely used for managing and displaying customer reviews, making it a common target for attackers seeking to compromise websites and their underlying infrastructure.

For European organizations, this vulnerability poses significant risks including unauthorized disclosure of sensitive data stored on web servers, potential remote code execution if attackers chain this LFI with other vulnerabilities, and service disruption through denial of service attacks. Organizations using JetReviews in e-commerce, customer feedback platforms, or content management systems could face reputational damage, regulatory penalties under GDPR due to data breaches, and operational downtime. The ability to exploit this vulnerability without authentication or user interaction increases the likelihood of automated attacks and widespread exploitation. Given the prevalence of WordPress and CrocoBlock plugins in Europe, especially among SMEs and digital service providers, the threat could impact a broad range of sectors including retail, finance, healthcare, and public services. The exposure of internal files could also facilitate further lateral movement within networks, increasing the overall security risk.

Immediate mitigation involves applying vendor patches once released; however, as no patch links are currently available, organizations should implement compensating controls. These include disabling or uninstalling the JetReviews plugin if not essential, restricting web server permissions to limit accessible files, and employing web application firewalls (WAFs) to detect and block suspicious include/require requests. Input validation and sanitization should be enforced at the application level to prevent manipulation of filename parameters. Monitoring web server logs for anomalous requests targeting include or require parameters can help detect exploitation attempts early. Additionally, organizations should conduct vulnerability scans specifically targeting this CVE and review plugin usage across their WordPress environments. Network segmentation and least privilege principles can limit the impact if exploitation occurs. Finally, maintaining regular backups and incident response plans will aid in recovery if an attack succeeds.