CVE-2025-54017 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the Cozmoslabs Paid Member Subscriptions plugin, a WordPress plugin used to manage membership subscriptions. The flaw allows for PHP Local File Inclusion (LFI), which occurs when an attacker can manipulate the filename parameter in include or require statements to include unintended files from the local filesystem. This can lead to arbitrary code execution, disclosure of sensitive information, or complete compromise of the affected web application. The vulnerability is present in versions up to 2.15.4 of the Paid Member Subscriptions plugin. The CVSS v3.1 score is 7.5, indicating a high severity with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. This means the attack can be performed remotely over the network (AV:N), but requires high attack complexity (AC:H), no privileges (PR:N), and user interaction (UI:R). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although no known exploits are currently in the wild, the vulnerability's nature makes it a significant risk if exploited. The lack of available patches at the time of publication increases the urgency for mitigation. The vulnerability arises because the plugin does not properly validate or sanitize user input controlling the filename in include/require statements, allowing attackers to include arbitrary local files, potentially leading to code execution or data leakage.

For European organizations using the Cozmoslabs Paid Member Subscriptions plugin, this vulnerability poses a serious risk. Exploitation could lead to unauthorized access to sensitive membership data, including personal information of subscribers, payment details, and subscription statuses, violating GDPR and other data protection regulations. The ability to execute arbitrary code could allow attackers to pivot within the network, deploy malware, or disrupt services, impacting availability and business continuity. Organizations relying on this plugin for membership management, especially in sectors like e-commerce, education, and media, could face reputational damage, regulatory fines, and operational disruptions. The requirement for user interaction (UI:R) suggests that attackers might need to trick users into clicking malicious links or performing specific actions, which could be achieved through phishing campaigns targeting administrators or users. The high attack complexity (AC:H) somewhat limits exploitation but does not eliminate the threat, especially for skilled attackers. The absence of known exploits in the wild currently provides a window for proactive mitigation before widespread attacks occur.

European organizations should immediately audit their WordPress installations to identify the presence of the Cozmoslabs Paid Member Subscriptions plugin and verify the version in use. Until an official patch is released, organizations should consider the following specific mitigations: 1) Disable or restrict access to the plugin's vulnerable functionalities by limiting user roles and permissions, especially for untrusted users. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious requests attempting to exploit file inclusion vulnerabilities, such as those containing directory traversal patterns or unusual include parameters. 3) Employ strict input validation and sanitization at the web server or application firewall level to prevent malicious input from reaching the plugin. 4) Monitor logs for unusual file access patterns or errors related to include/require statements. 5) Educate users and administrators about phishing risks to reduce the chance of successful user interaction exploitation. 6) If feasible, temporarily disable the plugin or replace it with alternative membership management solutions until a secure version is available. 7) Stay updated with vendor announcements and apply patches promptly once released. 8) Conduct penetration testing focused on file inclusion vulnerabilities to ensure no other components are vulnerable.