CVE-2025-69375 is a Local File Inclusion (LFI) vulnerability found in the SolverWp Portfolio Builder WordPress plugin (versions up to 1.2.5). The issue arises from improper control of the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input to include arbitrary files from the server. This can lead to disclosure of sensitive files such as configuration files, password files, or even execution of arbitrary PHP code if the attacker can upload malicious files or leverage other vulnerabilities. The vulnerability does not require authentication, making it accessible to remote attackers. While no known exploits have been reported in the wild, the flaw poses a significant risk due to the widespread use of WordPress and the plugin's presence on publicly accessible websites. The lack of an official patch at the time of publication increases the urgency for mitigation. The vulnerability was reserved at the end of 2025 and published in early 2026, indicating recent discovery. The absence of a CVSS score requires an independent severity assessment based on the potential impact and exploitability.

If exploited, this vulnerability could allow attackers to read sensitive files on the web server, leading to information disclosure such as database credentials, configuration details, or user data. In some scenarios, it could enable remote code execution if combined with other vulnerabilities or if the attacker can upload malicious files. This compromises the confidentiality, integrity, and availability of the affected systems. Organizations running vulnerable versions of the Portfolio Builder plugin on WordPress sites face risks of website defacement, data breaches, and potential lateral movement within their networks. The impact is particularly severe for organizations relying on these websites for business operations, customer interactions, or hosting sensitive information. The lack of authentication requirements and the ease of exploitation increase the threat level. Additionally, reputational damage and regulatory consequences may arise from successful exploitation.

1. Monitor official SolverWp channels and WordPress plugin repositories for patches or updates addressing this vulnerability and apply them immediately once available. 2. In the absence of patches, implement strict input validation and sanitization on any parameters controlling file inclusion paths to prevent manipulation. 3. Employ web application firewalls (WAFs) with rules designed to detect and block attempts to exploit file inclusion vulnerabilities, such as suspicious URL patterns or parameter tampering. 4. Restrict PHP include paths using configuration directives (e.g., open_basedir) to limit accessible directories and prevent inclusion of unauthorized files. 5. Conduct regular security audits and code reviews of custom or third-party plugins to identify similar vulnerabilities proactively. 6. Limit the exposure of the Portfolio Builder plugin by restricting access to trusted users or IP addresses where feasible. 7. Maintain up-to-date backups and incident response plans to quickly recover from potential compromises.