CVE-2025-49921 is a vulnerability classified as improper control of filename for include/require statements in the PHP-based CrocoBlock JetReviews plugin, affecting versions up to and including 3.0.0. This flaw allows an attacker to perform Local File Inclusion (LFI) attacks by manipulating the filename parameter used in PHP's include or require functions without proper validation or sanitization. LFI vulnerabilities enable attackers to include files from the local filesystem, potentially exposing sensitive data such as configuration files, source code, or credentials. In some cases, LFI can be leveraged to execute arbitrary code if combined with other vulnerabilities or misconfigurations. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, increasing its risk profile. The CVSS 3.1 base score of 7.3 reflects a high severity due to its ease of exploitation and impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the widespread use of JetReviews in WordPress environments makes this a critical issue for website security. The vulnerability was reserved in June 2025 and published in October 2025, indicating recent discovery and disclosure. No official patches or mitigations are listed yet, so organizations must monitor vendor advisories closely. The vulnerability's root cause lies in insufficient input validation on the filename parameter used in PHP include/require statements, a common security pitfall in web applications.

For European organizations, this vulnerability can lead to significant risks including unauthorized disclosure of sensitive information, such as database credentials, user data, or internal configuration files. Attackers could leverage LFI to read critical files or potentially chain with other vulnerabilities to achieve remote code execution, leading to full server compromise. This can result in data breaches, defacement, service disruption, and reputational damage. Organizations running WordPress sites with CrocoBlock JetReviews are particularly at risk, especially those in sectors with strict data protection requirements like finance, healthcare, and government. The vulnerability's network accessibility and lack of authentication requirements increase the likelihood of exploitation. Additionally, shared hosting environments common in Europe may amplify the impact by exposing multiple tenants to risk. The potential for availability impact also threatens business continuity and could lead to regulatory non-compliance under GDPR if personal data is exposed.

1. Monitor CrocoBlock vendor channels and security advisories for official patches addressing CVE-2025-49921 and apply them immediately upon release. 2. In the absence of patches, implement strict input validation and sanitization on any parameters controlling file inclusion paths within JetReviews or related custom code. 3. Employ web application firewalls (WAFs) with rules specifically designed to detect and block LFI attack patterns, such as suspicious traversal sequences or unexpected file inclusion attempts. 4. Restrict PHP include paths using configuration directives (e.g., open_basedir) to limit accessible directories and prevent inclusion of unauthorized files. 5. Conduct thorough security audits of WordPress plugins and themes to identify and remediate similar insecure coding practices. 6. Isolate critical web applications on dedicated servers or containers to reduce the blast radius of potential exploits. 7. Regularly back up website data and configurations to enable rapid recovery in case of compromise. 8. Educate developers and administrators on secure coding practices related to file inclusion and input handling.