CVE-2025-23949: Improved Sale Badges LFI Vulnerability

CVE-2025-23949 Overview

CVE-2025-23949 is a PHP Local File Inclusion (LFI) vulnerability affecting the Improved Sale Badges – Free Version WordPress plugin developed by dzeriho. The flaw stems from improper control of filenames passed to PHP include or require statements, classified as [CWE-98]. Attackers can leverage this weakness to load arbitrary local PHP files, potentially leading to code execution within the WordPress context. The vulnerability affects all plugin versions up to and including 1.0.1.

Critical Impact

Successful exploitation allows unauthenticated attackers to include arbitrary local files on the server, which can result in sensitive data disclosure, configuration exposure, and remote code execution under the web server account.

Affected Products

• dzeriho Improved Sale Badges – Free Version plugin for WordPress
• All versions from initial release through 1.0.1
• WordPress installations with improved-sale-badges-free-version active

Discovery Timeline

• 2025-01-22 - CVE-2025-23949 published to the National Vulnerability Database
• 2026-04-23 - Entry last modified in NVD

Technical Details for CVE-2025-23949

Vulnerability Analysis

The Improved Sale Badges – Free Version plugin fails to sanitize user-controlled input before passing it to a PHP file inclusion function. This pattern, tracked under [CWE-98], allows attacker-supplied values to influence which file the PHP interpreter loads at runtime. Because the network-reachable attack surface does not require authentication or user interaction, an external attacker can reach the vulnerable code path directly over HTTP(S). The Exploit Prediction Scoring System (EPSS) places this issue in the 81st percentile of likelihood to be exploited, indicating elevated attention from offensive tooling.

Root Cause

The root cause is the absence of strict allowlisting on filename parameters used by include, include_once, require, or require_once statements within the plugin. Without canonical path validation and a fixed allowlist of permitted files, attacker input is concatenated into a file path and resolved relative to the plugin directory or web root. Path traversal sequences and absolute paths can therefore reach arbitrary files readable by the PHP process.

Attack Vector

The vulnerability is exploited over the network by sending a crafted HTTP request containing a manipulated file parameter to a vulnerable plugin endpoint. An unauthenticated attacker can request inclusion of local files such as wp-config.php, log files, or uploaded content. When attacker-controlled content can be written to a readable location on disk, for example through log poisoning or media uploads, the LFI escalates to remote code execution within the PHP process.

The vulnerability mechanism is documented in the Patchstack WordPress Vulnerability advisory. No verified public proof-of-concept code is available at this time.

Detection Methods for CVE-2025-23949

Indicators of Compromise

• HTTP requests to plugin endpoints under /wp-content/plugins/improved-sale-badges-free-version/ containing path traversal sequences such as ../ or URL-encoded variants like %2e%2e%2f
• Requests referencing sensitive WordPress files such as wp-config.php, .htaccess, or /etc/passwd in query string parameters
• Unexpected PHP errors in web server logs referencing include() or require() failures with attacker-controlled paths
• New or modified PHP files in wp-content/uploads/ followed by inclusion requests targeting those files

Detection Strategies

• Inspect web access logs for query strings containing directory traversal patterns or absolute file paths directed at the plugin
• Correlate file upload events with subsequent requests to the plugin to identify potential log or upload poisoning chains
• Deploy WordPress-aware web application firewall rules that flag inclusion-style parameters against the affected plugin path

Monitoring Recommendations

• Enable PHP error logging and alert on failed to open stream or Failed opening required messages referencing the plugin directory
• Monitor file integrity for wp-config.php access patterns and unexpected reads from the WordPress installation
• Track outbound connections from the web server process that follow inclusion-style request patterns, indicating possible RCE follow-on activity

How to Mitigate CVE-2025-23949

Immediate Actions Required

• Deactivate and remove the Improved Sale Badges – Free Version plugin until a patched release is confirmed available
• Audit the WordPress installation for unauthorized administrator accounts, modified core files, and webshells in wp-content/uploads/
• Rotate WordPress secret keys, database credentials, and any API tokens that may have been exposed through wp-config.php disclosure
• Restrict access to the WordPress admin and plugin endpoints by source IP where operationally feasible

Patch Information

As of the latest NVD update on 2026-04-23, the advisory lists affected versions through 1.0.1 with no fixed version explicitly identified. Administrators should consult the Patchstack advisory for the latest remediation guidance and remove the plugin if no patched version is available.

Workarounds

• Configure the PHP open_basedir directive to limit file system paths accessible to the WordPress process
• Disable allow_url_include and allow_url_fopen in php.ini to reduce inclusion-based attack surface
• Block requests containing path traversal sequences at the web application firewall or reverse proxy layer
• Apply virtual patching rules from your WAF vendor that specifically target the improved-sale-badges-free-version plugin path

# Configuration example - php.ini hardening
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"