CVE-2025-47670 Overview
CVE-2025-47670 is a Local File Inclusion (LFI) vulnerability in the miniOrange WordPress Social Login and Register plugin (miniorange-login-openid). The flaw stems from improper control of filenames used in PHP include or require statements [CWE-98]. Attackers can manipulate file path parameters to include arbitrary local PHP files on the WordPress server. The vulnerability affects all plugin versions up to and including 7.6.10. Successful exploitation can lead to source code disclosure, sensitive configuration file access, and in some configurations, remote code execution through log poisoning or session file inclusion.
Critical Impact
An unauthenticated attacker can include arbitrary local PHP files on the target WordPress server, enabling sensitive data disclosure and potentially full code execution.
Affected Products
- miniOrange WordPress Social Login and Register plugin (miniorange-login-openid)
- All plugin versions from n/a through 7.6.10
- WordPress sites running the vulnerable plugin
Discovery Timeline
- 2025-05-23 - CVE-2025-47670 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-47670
Vulnerability Analysis
The vulnerability is classified as Improper Control of Filename for Include/Require Statement in PHP Program [CWE-98]. The plugin accepts user-controlled input and passes it into a PHP include or require call without adequate sanitization or allow-listing. This permits an attacker to traverse the filesystem and load arbitrary PHP files accessible to the web server process.
Local File Inclusion in PHP applications typically enables disclosure of files such as wp-config.php, which contains database credentials and authentication keys. When combined with primitives such as log file poisoning, /proc/self/environ access, or PHP session file inclusion, LFI flaws frequently escalate to remote code execution.
The EPSS score of 0.547% places this vulnerability in the 67th percentile for exploitation likelihood across all published CVEs.
Root Cause
The root cause is the absence of strict validation on a filename parameter consumed by a PHP file inclusion construct. The plugin does not enforce an allow-list of expected files, does not canonicalize the path, and does not strip directory traversal sequences such as ../. As a result, the include resolver follows attacker-supplied paths outside the intended directory.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to a vulnerable plugin endpoint with a manipulated filename parameter. The PHP interpreter then loads and executes the referenced file in the context of the WordPress process.
The vulnerability manifests when user input flows directly into a PHP file inclusion statement. See the Patchstack Vulnerability Report for additional technical details.
Detection Methods for CVE-2025-47670
Indicators of Compromise
- HTTP requests to plugin endpoints containing directory traversal sequences such as ../ or URL-encoded variants like %2e%2e%2f
- Access log entries referencing sensitive paths such as wp-config.php, /etc/passwd, or /proc/self/environ
- Unexpected PHP errors in web server logs referencing include() or require() failures with attacker-supplied paths
- Outbound network connections from the PHP worker following suspicious inclusion attempts
Detection Strategies
- Inspect web server access logs for query parameters that include filesystem paths or traversal patterns targeting the miniorange-login-openid plugin
- Deploy web application firewall (WAF) rules that flag LFI patterns in requests to WordPress plugin endpoints
- Correlate plugin requests with subsequent PHP execution anomalies or unexpected child process creation by the web server user
Monitoring Recommendations
- Monitor file system reads of sensitive WordPress files such as wp-config.php by the web server process
- Alert on new or modified PHP files within wp-content/uploads/ directories, which are common targets for log poisoning
- Track outbound connections initiated by PHP-FPM or Apache workers immediately after requests to the affected plugin
How to Mitigate CVE-2025-47670
Immediate Actions Required
- Update the miniOrange WordPress Social Login and Register plugin to a version later than 7.6.10 as soon as a patched release is available
- Disable or remove the plugin if a patch is not yet available and the functionality is non-essential
- Audit web server and WordPress logs for prior exploitation attempts referencing the vulnerable endpoints
- Rotate WordPress secrets, database credentials, and API keys if exploitation indicators are found
Patch Information
Review the Patchstack Vulnerability Report for fixed version details and vendor advisories. The vulnerability affects all versions through 7.6.10.
Workarounds
- Block requests to the vulnerable plugin endpoints at the WAF or reverse proxy layer until the plugin is updated
- Configure PHP open_basedir to restrict file inclusion to the WordPress installation directory
- Set allow_url_include = Off and allow_url_fopen = Off in php.ini to prevent remote inclusion variants
- Apply least-privilege filesystem permissions so that the web server user cannot read sensitive system files
# Configuration example: restrict PHP file inclusion via php.ini
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
