CVE-2025-9993 identifies a Local File Inclusion vulnerability in the Bei Fen – WordPress Backup Plugin for WordPress, affecting all versions up to and including 1.4.2 when running on PHP 7.1 or older. The vulnerability stems from improper control of the filename used in include or require statements, classified under CWE-98. Specifically, the plugin fails to properly validate or sanitize the 'task' parameter, allowing authenticated users with Subscriber-level privileges or higher to manipulate this parameter to include arbitrary PHP files on the server. This can lead to remote code execution by executing attacker-controlled PHP code, bypassing access controls, and potentially exposing sensitive information stored on the server. The exploit requires authentication but no user interaction beyond login, and the attack surface is limited to environments running outdated PHP versions. The CVSS v3.1 score of 8.1 reflects the high impact on confidentiality, integrity, and availability, though the attack complexity is high due to the need for authentication and specific PHP version constraints. No patches or exploits are currently publicly available, but the vulnerability is publicly disclosed and should be treated as critical for affected environments.

The impact of CVE-2025-9993 is significant for organizations using the Bei Fen – WordPress Backup Plugin on PHP 7.1 or older. Successful exploitation allows attackers to execute arbitrary PHP code on the web server, which can lead to full system compromise, data theft, defacement, or pivoting to internal networks. Confidentiality is at risk due to potential unauthorized data access, integrity is compromised through code execution and modification, and availability can be affected by disruptive payloads. Since the vulnerability requires only Subscriber-level authentication, attackers can leverage compromised or weak user credentials to escalate privileges and execute code. This threat is particularly critical for organizations relying on WordPress for content management and backup, especially those that have not updated PHP or plugin versions. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the potential for future targeted attacks.

1. Upgrade PHP to version 7.2 or later, as the vulnerability only affects PHP 7.1 and older. 2. Update the Bei Fen – WordPress Backup Plugin to the latest version once a patch is released; monitor vendor communications for updates. 3. Implement strict input validation and sanitization on the 'task' parameter to prevent inclusion of arbitrary files. 4. Restrict file upload capabilities and enforce file type restrictions to prevent uploading malicious PHP files. 5. Limit user privileges by enforcing the principle of least privilege, ensuring that Subscriber-level accounts have minimal permissions and monitoring for suspicious account activity. 6. Employ Web Application Firewalls (WAFs) with rules to detect and block attempts to exploit LFI vulnerabilities. 7. Conduct regular security audits and vulnerability scans focusing on outdated PHP versions and vulnerable plugins. 8. Monitor logs for unusual include or require calls and unexpected PHP file executions. 9. Consider isolating WordPress instances in containerized or sandboxed environments to limit impact of potential exploitation.