CVE-2025-53450 is a high-severity vulnerability classified under CWE-98, which involves improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the Pluginwale Easy Pricing Table WordPress plugin versions up to 1.1.3. The flaw allows for PHP Local File Inclusion (LFI), where an attacker can manipulate the filename parameter to include arbitrary files from the local server. This can lead to the execution of malicious code, disclosure of sensitive information, or further exploitation of the system. The vulnerability arises because the plugin fails to properly validate or sanitize user-supplied input used in PHP include/require statements, enabling attackers to traverse directories or include unintended files. The CVSS v3.1 base score is 7.5, indicating a high severity level, with the vector string AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. This means the attack can be performed remotely over the network but requires low privileges and high attack complexity, without user interaction. Successful exploitation can compromise confidentiality, integrity, and availability of the affected system. Although no known exploits are currently reported in the wild, the vulnerability's nature and impact make it a significant risk for WordPress sites using this plugin. No official patches or updates are currently linked, so mitigation may require manual intervention or disabling the plugin until a fix is released.

For European organizations, this vulnerability poses a considerable risk, especially for those relying on WordPress websites with the Easy Pricing Table plugin installed. Exploitation can lead to unauthorized access to sensitive data, website defacement, or complete server compromise, which can disrupt business operations and damage reputation. Given the high confidentiality, integrity, and availability impact, organizations handling personal data under GDPR could face regulatory consequences if breaches occur. The attack complexity is high but requires only low privileges, meaning that even users with limited access or attackers exploiting other vulnerabilities could leverage this flaw. The lack of user interaction requirement facilitates automated attacks. This vulnerability could be exploited to pivot within internal networks, affecting broader IT infrastructure. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability becomes public knowledge.

European organizations should immediately audit their WordPress installations to identify the presence of the Pluginwale Easy Pricing Table plugin, especially versions up to 1.1.3. Until an official patch is released, it is advisable to disable or uninstall the plugin to eliminate exposure. If the plugin is essential, organizations should implement strict input validation and sanitization on any parameters that influence file inclusion, potentially through custom code or web application firewalls (WAFs) with rules targeting LFI attempts. Monitoring web server logs for suspicious requests attempting directory traversal or unusual file inclusion patterns is critical. Additionally, organizations should ensure that PHP configurations disable dangerous functions like allow_url_include and restrict file system permissions to limit the impact of any inclusion attempts. Regular backups and incident response plans should be updated to quickly recover from potential exploitation. Finally, maintaining up-to-date WordPress core and plugins and subscribing to vulnerability disclosure sources will help in timely patch application once available.