CVE-2025-9993 identifies a Local File Inclusion vulnerability in the Bei Fen – WordPress Backup Plugin for WordPress, affecting all versions up to and including 1.4.2 when running on PHP 7.1 or older. The vulnerability stems from improper control of the filename used in include or require statements (classified under CWE-98), specifically via the 'task' parameter. An authenticated attacker with at least Subscriber-level privileges can exploit this flaw to include arbitrary PHP files on the server. This capability enables execution of arbitrary PHP code, which can bypass access controls, expose sensitive information, or lead to full remote code execution if the attacker can upload PHP files. The vulnerability does not require user interaction beyond authentication and is exploitable remotely over the network. The CVSS v3.1 base score is 8.1, indicating high severity, with attack vector as network, attack complexity high, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No patches or fixes have been published at the time of disclosure, and no known exploits have been observed in the wild. The vulnerability is particularly relevant for environments still running legacy PHP versions (7.1 or older), which are no longer supported and lack security updates. WordPress sites using this plugin without updates or mitigations are at risk of compromise.

For European organizations, this vulnerability poses a significant risk, especially for those operating WordPress sites with the Bei Fen – WordPress Backup Plugin on legacy PHP environments. Exploitation can lead to unauthorized code execution on web servers, resulting in data breaches, defacement, or use of compromised servers as pivot points for further attacks. Confidential data stored or processed by the WordPress site could be exposed or altered, impacting data privacy compliance obligations such as GDPR. Availability of services may be disrupted due to malicious code execution or server instability. Organizations in sectors with high web presence, such as e-commerce, media, and government, face elevated risks. The requirement for authenticated access somewhat limits the attack surface but does not eliminate risk, as subscriber-level accounts are common and may be compromised via phishing or weak credentials. The lack of patches increases exposure duration, and the presence of outdated PHP versions in many European hosting environments exacerbates the threat. Overall, the vulnerability could facilitate severe operational and reputational damage.

1. Upgrade PHP to a supported version newer than 7.1 immediately, as this vulnerability only affects PHP 7.1 or older. 2. Remove or update the Bei Fen – WordPress Backup Plugin to a version that addresses this vulnerability once available. If no patch exists, consider disabling or replacing the plugin with a secure alternative. 3. Restrict file upload capabilities and ensure strict validation and sanitization of any uploaded files to prevent attackers from uploading malicious PHP files. 4. Implement strict access controls and monitor accounts with Subscriber-level access or higher for suspicious activity. 5. Employ Web Application Firewalls (WAFs) with rules to detect and block attempts to exploit LFI vulnerabilities. 6. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and PHP versions. 7. Harden PHP configurations by disabling dangerous functions and restricting include paths. 8. Educate users on strong authentication practices to reduce the risk of account compromise. 9. Monitor logs for unusual include/require requests or unexpected file executions. 10. Prepare incident response plans to quickly address any exploitation attempts.