CVE-2025-48157 Overview
CVE-2025-48157 is a Local File Inclusion (LFI) vulnerability affecting the Michele Giorgi Formality plugin for WordPress. The flaw stems from improper control of filename arguments passed to PHP include or require statements [CWE-98]. Attackers can leverage the issue to load arbitrary local PHP files within the web server context, potentially exposing sensitive configuration data or executing attacker-controlled code paths. The vulnerability affects all Formality versions from initial release through 1.5.9. Although the attack is network-reachable and requires no authentication, exploitation complexity is rated high, indicating that specific conditions must be met for successful inclusion.
Critical Impact
Unauthenticated attackers can include local PHP files, leading to information disclosure and potential remote code execution when chained with file upload primitives.
Affected Products
- Michele Giorgi Formality WordPress plugin versions through 1.5.9
- WordPress installations running the Formality form builder
- Sites with the plugin active and exposed to network traffic
Discovery Timeline
- 2025-08-20 - CVE-2025-48157 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-48157
Vulnerability Analysis
The vulnerability resides in how the Formality plugin handles filename input passed to PHP file inclusion functions such as include, include_once, require, or require_once. User-controlled input reaches these statements without sufficient sanitization or allowlist validation. As a result, an attacker can manipulate the filename parameter to reference unintended files on the local filesystem.
When exploited, the PHP interpreter loads and executes the targeted file in the context of the web server process. This allows disclosure of sensitive WordPress files such as wp-config.php contents through error states, log poisoning, or session-based inclusion chains. The flaw is classified under [CWE-98], the standard weakness category for PHP File Inclusion.
Root Cause
The root cause is missing or insufficient validation of filename input before it is concatenated into a PHP inclusion call. The plugin trusts request-supplied parameters when constructing the path used in include or require operations, violating the principle that inclusion targets must be drawn from a strict allowlist.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to a vulnerable Formality endpoint, supplying a filename parameter that resolves to a local PHP file. Successful exploitation depends on environmental conditions such as PHP configuration directives (allow_url_include, open_basedir) and the availability of includable files containing attacker-influenced content.
The vulnerability is described in the Patchstack WordPress Vulnerability Advisory.
Detection Methods for CVE-2025-48157
Indicators of Compromise
- HTTP requests to Formality plugin endpoints containing path traversal sequences such as ../ or encoded variants like %2e%2e%2f
- Web server access logs showing unusual filename parameters referencing system paths like /etc/passwd, wp-config.php, or PHP session files
- PHP error logs reporting failed include or require calls originating from Formality plugin files
Detection Strategies
- Inspect WordPress request logs for requests targeting Formality endpoints with suspicious file path parameters
- Deploy web application firewall (WAF) rules that flag LFI patterns including null byte injection and double URL-encoded traversal sequences
- Correlate plugin parameter values with PHP include warnings to identify exploitation attempts in real time
Monitoring Recommendations
- Enable verbose PHP error logging and forward logs to a centralized SIEM for analysis
- Monitor for anomalous reads of sensitive files such as wp-config.php, log files, and session storage directories
- Track outbound connections from the WordPress host that may indicate post-exploitation activity following successful inclusion
How to Mitigate CVE-2025-48157
Immediate Actions Required
- Identify all WordPress installations running the Formality plugin and inventory versions in use
- Disable or remove the Formality plugin on sites where an updated version is not yet available
- Restrict access to WordPress administration and form submission endpoints behind a WAF until patching is complete
Patch Information
No fixed version is identified in the available advisory data. Site operators should consult the Patchstack WordPress Vulnerability Advisory for the latest remediation guidance and apply any vendor-released update above version 1.5.9 once published.
Workarounds
- Set the PHP directive allow_url_include=Off and configure open_basedir to confine file access to the WordPress directory tree
- Apply WAF signatures that block path traversal patterns and known LFI payloads targeting WordPress plugins
- Run the PHP-FPM worker under a least-privilege account that cannot read sensitive system files outside the web root
# Example php.ini hardening
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
