CVE-2025-24690 Overview
CVE-2025-24690 is a Local File Inclusion (LFI) vulnerability in the Michele Giorgi Formality plugin for WordPress. The flaw stems from improper control of filenames passed to PHP include or require statements, classified under [CWE-98]. All versions of Formality up to and including 1.5.7 are affected. An unauthenticated remote attacker can leverage the vulnerability to include arbitrary local PHP files, leading to disclosure of sensitive configuration data, source code, or arbitrary code execution when combined with a writable file primitive.
Critical Impact
Unauthenticated attackers can include arbitrary local PHP files on the server, enabling sensitive information disclosure and potential remote code execution.
Affected Products
- Michele Giorgi Formality WordPress plugin, versions up to and including 1.5.7
- WordPress sites running the Formality plugin without the patched release
- Hosting environments where Formality is active and exposed to untrusted HTTP traffic
Discovery Timeline
- 2025-03-26 - CVE-2025-24690 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-24690
Vulnerability Analysis
The vulnerability is a PHP File Inclusion weakness ([CWE-98]) in the Formality WordPress plugin. The plugin passes attacker-influenced input into a PHP include or require construct without enforcing a strict allowlist or validating the resolved path. As a result, an attacker can manipulate the parameter to traverse the file system and load arbitrary .php files accessible to the web server user.
While the advisory categorizes the issue as Local File Inclusion, the underlying weakness is the PHP RFI/LFI class, which historically permits both local and remote inclusion depending on the allow_url_include setting in php.ini. On modern PHP installations remote inclusion is typically disabled, but local inclusion remains exploitable. EPSS data places this issue in the upper range of likely-exploited vulnerabilities for WordPress plugins.
Root Cause
The plugin accepts a user-controlled value, likely a template, view, or module name, and concatenates it into a path supplied to include/require. The code does not normalize the path, restrict it to a known directory, or reject traversal sequences such as ../. Any caller that reaches the vulnerable handler can therefore reference files outside the plugin directory.
Attack Vector
The attack is delivered over the network with no authentication and no user interaction, although exploitation requires meeting specific request conditions. An attacker issues an HTTP request to the vulnerable Formality endpoint with a manipulated filename parameter pointing to an existing local file. The targeted file is parsed by the PHP engine, which exposes its contents or executes embedded PHP. Common post-exploitation paths include reading wp-config.php for database credentials, harvesting secrets from log files, or chaining with a separate file upload primitive to achieve remote code execution.
Refer to the Patchstack WordPress Vulnerability Advisory for additional technical context.
Detection Methods for CVE-2025-24690
Indicators of Compromise
- HTTP requests to Formality plugin endpoints containing path traversal sequences such as ../, ..%2f, or absolute paths like /etc/passwd or wp-config.php.
- Web server access logs showing unusual query parameters referencing PHP files outside the wp-content/plugins/formality/ directory.
- Unexpected outbound connections or new PHP files created in wp-content/uploads/ shortly after suspicious Formality requests.
Detection Strategies
- Inspect WordPress and web server logs for requests to Formality handlers with file-like parameter values, particularly those containing .., null bytes (%00), or php:// wrappers.
- Deploy WAF rules that block path traversal patterns and known PHP wrapper schemes against /wp-admin/admin-ajax.php and Formality REST routes.
- Use file integrity monitoring on the WordPress installation to flag unauthorized changes to plugin and theme directories.
Monitoring Recommendations
- Alert on PHP error log entries referencing include() or require() failures with attacker-controlled paths.
- Correlate Formality plugin request anomalies with subsequent administrative logins or new user creation events.
- Monitor egress traffic from the web server for unexpected connections that could indicate post-exploitation activity.
How to Mitigate CVE-2025-24690
Immediate Actions Required
- Identify all WordPress sites running the Formality plugin and confirm the installed version is greater than 1.5.7.
- Deactivate and remove the Formality plugin if a patched release is not yet available for your environment.
- Rotate any credentials and API keys stored in wp-config.php if exploitation is suspected.
- Review web server and WordPress logs for indicators of prior exploitation attempts.
Patch Information
Update the Formality plugin to a version released after 1.5.7 that addresses CVE-2025-24690. Consult the Patchstack WordPress Vulnerability Advisory for the fixed version and remediation guidance.
Workarounds
- Disable the Formality plugin until an updated version can be installed and tested.
- Restrict access to WordPress admin and AJAX endpoints by IP allowlist where feasible.
- Set allow_url_include=Off and allow_url_fopen=Off in php.ini to prevent remote inclusion vectors.
- Apply virtual patching through a Web Application Firewall to block traversal sequences targeting Formality routes.
# Configuration example: harden PHP against file inclusion abuse
# /etc/php/8.x/fpm/php.ini
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
