CVE-2025-9993 is a high-severity vulnerability classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), specifically affecting the Bei Fen – WordPress Backup Plugin developed by d3rd4v1d. This vulnerability exists in all versions up to and including 1.4.2 of the plugin and impacts WordPress instances running PHP 7.1 or older. The flaw allows authenticated attackers with Subscriber-level access or higher to exploit a Local File Inclusion (LFI) vulnerability via the 'task' parameter. By manipulating this parameter, attackers can include and execute arbitrary PHP files on the server. This can lead to remote code execution (RCE) if the attacker can upload PHP files or otherwise control file content. The exploitation does not require elevated privileges beyond Subscriber, which is a low-level role typically assigned to users with minimal permissions, making the attack vector more accessible. The vulnerability can be leveraged to bypass access controls, extract sensitive data, or execute arbitrary code, severely compromising the confidentiality, integrity, and availability of the affected system. The vulnerability is network exploitable without user interaction, but requires authentication at Subscriber level or above. The CVSS v3.1 base score is 8.1, indicating a high severity with network attack vector, high impact on confidentiality, integrity, and availability, and requiring low privileges but no user interaction. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that mitigation may require manual intervention or plugin updates once available. The issue is specific to PHP versions 7.1 and older, which are no longer supported and contain multiple security risks beyond this vulnerability.

For European organizations, this vulnerability poses a significant risk, especially for those using WordPress sites with the Bei Fen Backup Plugin on legacy PHP environments (7.1 or older). Successful exploitation can lead to full server compromise, data breaches involving sensitive customer or business data, defacement of websites, or use of the compromised server as a pivot point for further attacks within the network. Given the widespread use of WordPress across Europe for business, government, and e-commerce websites, the impact could be substantial. Organizations in sectors with strict data protection regulations such as GDPR (e.g., finance, healthcare, public sector) face increased legal and reputational risks if sensitive data is exposed. The requirement for only Subscriber-level access lowers the barrier for exploitation, potentially allowing attackers to leverage compromised or weak user credentials to escalate attacks. Additionally, many European organizations may still run legacy PHP versions due to compatibility or resource constraints, increasing exposure. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the high severity and ease of exploitation necessitate urgent attention.

1. Immediate upgrade of PHP to a supported and secure version (PHP 7.4 or later, preferably PHP 8.x) to eliminate the environment-specific condition of the vulnerability. 2. Update or replace the Bei Fen – WordPress Backup Plugin with a patched version once available; if no patch exists, consider disabling or uninstalling the plugin until a fix is released. 3. Restrict user roles and permissions rigorously, ensuring that Subscriber-level accounts are monitored and that account creation is controlled to prevent unauthorized access. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the 'task' parameter or attempts to include files via URL manipulation. 5. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and PHP versions to identify and remediate outdated components. 6. Monitor logs for unusual file inclusion attempts or unexpected PHP file executions. 7. Employ file integrity monitoring to detect unauthorized changes or uploads of PHP files. 8. Educate administrators and users about the risks of weak credentials and enforce strong authentication policies, including multi-factor authentication (MFA) where possible. 9. Isolate WordPress environments and backups to limit lateral movement in case of compromise.