The Widget for Google Reviews plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.15 via the layout parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This is limited to just PHP files.

CVE-2025-7327 is a high-severity vulnerability affecting the 'Widget for Google Reviews' WordPress plugin developed by techlabpro1. This vulnerability is classified under CWE-98, which pertains to improper control of filenames used in include or require statements in PHP programs, commonly known as a Remote File Inclusion (RFI) or Local File Inclusion (LFI) vulnerability. Specifically, the flaw exists in all versions up to and including 1.0.15 of the plugin and is triggered via the 'layout' parameter. An authenticated attacker with Subscriber-level privileges or higher can exploit this vulnerability to perform directory traversal, allowing them to include and execute arbitrary PHP files on the server. This means that even users with minimal access rights can escalate their privileges by injecting PHP code through files that the plugin includes. The vulnerability enables attackers to bypass access controls, access sensitive data, and execute arbitrary code, potentially leading to full server compromise. The attack vector is remote network-based (AV:N), requires low attack complexity (AC:L), and only requires privileges equivalent to a Subscriber role (PR:L) without any user interaction (UI:N). The scope remains unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No patches have been published yet, and no known exploits are currently observed in the wild, but the high CVSS score of 8.8 indicates a critical need for remediation. This vulnerability is particularly dangerous because WordPress plugins are widely used, and the ability to execute arbitrary PHP code can lead to complete takeover of the affected web server.

CVE Database V5

Detailed information about CVE-2025-7327: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in tech

CVE-2025-7327: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in techlabpro1 Widget for Google Reviews - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7327: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in techlabpro1 Widget for Google Reviews

A vulnerability has been found in PHPGurukul/Campcodes Cyber Cafe Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7164 is a critical SQL Injection vulnerability identified in version 1.0 of the PHPGurukul/Campcodes Cyber Cafe Management System. The vulnerability resides in the /index.php file, specifically in the handling of the 'Username' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code due to insufficient input validation or sanitization. This allows the attacker to interfere with the backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the database. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely over the network. The CVSS 4.0 score of 6.9 classifies this as a medium severity issue, reflecting the ease of exploitation (network attack vector, no privileges required) but with limited impact on confidentiality, integrity, and availability (low to medium impact). No public exploits are currently known in the wild, but the exploit details have been disclosed publicly, increasing the risk of exploitation. The affected product is a specialized cyber cafe management system, which typically manages user sessions, billing, and access control in internet cafes, meaning that exploitation could expose sensitive customer data or disrupt service availability.

Detailed information about CVE-2025-7164: SQL Injection in PHPGurukul Cyber Cafe Management System affecting PHPGurukul Cyber Cafe Management System. Get real-t

CVE-2025-7164: SQL Injection in PHPGurukul Cyber Cafe Management System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7164: SQL Injection in PHPGurukul Cyber Cafe Management System

A vulnerability, which was classified as critical, was found in PHPGurukul Zoo Management System 2.1. Affected is an unknown function of the file /admin/add-animals.php. The manipulation of the argument cnum leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7163 is a SQL Injection vulnerability identified in version 2.1 of the PHPGurukul Zoo Management System, specifically within the /admin/add-animals.php file. The vulnerability arises from improper sanitization or validation of the 'cnum' parameter, which is susceptible to malicious input manipulation. An attacker can exploit this flaw remotely without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:L/UI:N). The vulnerability allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access, data modification, or even complete compromise of the underlying database. Although the CVSS score is 5.3 (medium severity), the exploitability is relatively straightforward due to low attack complexity and no user interaction needed. The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L/VI:L/VA:L), suggesting partial but not full compromise of these security properties. No patches or mitigations have been officially released yet, and while no known exploits are currently active in the wild, the public disclosure of the exploit code increases the risk of exploitation by opportunistic attackers. This vulnerability is critical for organizations using this specific version of the PHPGurukul Zoo Management System, especially those managing sensitive animal or operational data in zoo environments or related wildlife management sectors.

Detailed information about CVE-2025-7163: SQL Injection in PHPGurukul Zoo Management System affecting PHPGurukul Zoo Management System. Get real-time updates, t

CVE-2025-7163: SQL Injection in PHPGurukul Zoo Management System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7163: SQL Injection in PHPGurukul Zoo Management System

A vulnerability, which was classified as critical, has been found in PHPGurukul Zoo Management System 2.1. This issue affects some unknown processing of the file /admin/add-foreigners-ticket.php. The manipulation of the argument cprice leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7162 is a SQL Injection vulnerability identified in version 2.1 of the PHPGurukul Zoo Management System, specifically within the /admin/add-foreigners-ticket.php file. The vulnerability arises from improper handling and sanitization of the 'cprice' parameter, which is susceptible to malicious input manipulation. An attacker can exploit this flaw remotely without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability allows an attacker to inject arbitrary SQL commands into the backend database query, potentially leading to unauthorized data access, data modification, or even complete compromise of the database integrity and confidentiality. Although the CVSS score is 5.3 (medium severity), the vulnerability is classified as critical in the description, likely due to the potential impact of SQL injection flaws in general. The vulnerability does not require user interaction but does require low privileges (PR:L), meaning an attacker with limited access could exploit it. The scope is limited to the affected version 2.1 of the PHPGurukul Zoo Management System, which is a niche product used for managing zoo operations, including ticketing for foreign visitors. No public exploits are currently known in the wild, but the exploit details have been disclosed publicly, increasing the risk of exploitation. No patches or fixes have been linked yet, indicating that organizations using this software should prioritize mitigation.

Detailed information about CVE-2025-7162: SQL Injection in PHPGurukul Zoo Management System affecting PHPGurukul Zoo Management System. Get real-time updates, t

CVE-2025-7162: SQL Injection in PHPGurukul Zoo Management System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7162: SQL Injection in PHPGurukul Zoo Management System

A vulnerability was found in PHPGurukul/Campcodes Cyber Cafe Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /forgot-password.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Detailed information about CVE-2025-7165: SQL Injection in PHPGurukul Cyber Cafe Management System affecting PHPGurukul Cyber Cafe Management System. Get real-t

CVE-2025-7165: SQL Injection in PHPGurukul Cyber Cafe Management System

CVE-2025-7165: SQL Injection in PHPGurukul Cyber Cafe Management System

Description

Technical Details

Related Threats

CVE-2025-7327: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in techlabpro1 Widget for Google Reviews

CVE-2025-7164: SQL Injection in PHPGurukul Cyber Cafe Management System

CVE-2025-7163: SQL Injection in PHPGurukul Zoo Management System

CVE-2025-7162: SQL Injection in PHPGurukul Zoo Management System

CVE-2025-5957: CWE-862 Missing Authorization in rcatheme Guest Support – Complete customer support ticket system for WordPress

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility