CVE-2025-49036 Overview
CVE-2025-49036 is a Local File Inclusion (LFI) vulnerability affecting the Premium Addons for KingComposer WordPress plugin developed by octagonwebstudio. The vulnerability stems from improper control of filename for include/require statements in PHP, allowing attackers to include local files on the target server. This can lead to information disclosure, server-side code execution, and potentially full system compromise.
Critical Impact
Unauthenticated attackers can exploit this PHP Local File Inclusion vulnerability to read sensitive files, access configuration data, and potentially achieve remote code execution on affected WordPress installations.
Affected Products
- Premium Addons for KingComposer plugin version 1.1.1 and earlier
- WordPress installations running vulnerable plugin versions
- Websites using KingComposer page builder with the Premium Addons extension
Discovery Timeline
- 2025-08-14 - CVE-2025-49036 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-49036
Vulnerability Analysis
This vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The flaw exists because the Premium Addons for KingComposer plugin fails to properly sanitize user-controlled input before passing it to PHP include or require functions. This allows attackers to manipulate file paths and include arbitrary local files from the server's filesystem.
The attack can be executed remotely over the network, though exploitation requires high attack complexity. No authentication or user interaction is required to exploit this vulnerability. Successful exploitation can result in complete compromise of confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause of CVE-2025-49036 lies in insufficient input validation within the plugin's file inclusion mechanism. When processing user-supplied parameters, the plugin does not adequately filter or sanitize path traversal sequences and file path inputs before using them in PHP include() or require() statements. This allows attackers to craft malicious requests that reference files outside the intended directory structure.
Attack Vector
The vulnerability is exploited through the network by sending specially crafted HTTP requests to the vulnerable WordPress plugin. An attacker can manipulate parameters to include local files such as /etc/passwd, wp-config.php, or log files. In more advanced scenarios, attackers may combine this LFI vulnerability with log poisoning techniques to achieve remote code execution by injecting PHP code into log files and then including those logs.
The attack flow typically involves:
- Identifying a vulnerable endpoint that accepts file path parameters
- Injecting path traversal sequences (e.g., ../../../) to escape the intended directory
- Including sensitive system or application files
- Optionally chaining with log poisoning for code execution
Detection Methods for CVE-2025-49036
Indicators of Compromise
- Unusual HTTP requests containing path traversal sequences (../) targeting the Premium Addons for KingComposer plugin
- Access logs showing attempts to include system files like /etc/passwd or wp-config.php
- Unexpected file access patterns in PHP error logs or web server access logs
- Evidence of log poisoning attempts with PHP code injection in User-Agent or Referer headers
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to block requests containing path traversal patterns and LFI payloads
- Monitor WordPress access logs for suspicious parameter values containing ../ sequences or absolute file paths
- Implement file integrity monitoring on critical WordPress configuration files
- Use security plugins to scan for known vulnerable plugin versions
Monitoring Recommendations
- Configure real-time alerting for HTTP requests matching LFI attack signatures
- Review web server logs regularly for anomalous access patterns to the KingComposer plugin directories
- Monitor for unexpected file read operations, especially targeting sensitive system files
- Enable verbose PHP error logging in a secure location to detect exploitation attempts
How to Mitigate CVE-2025-49036
Immediate Actions Required
- Update Premium Addons for KingComposer to the latest patched version immediately
- If no patch is available, deactivate and remove the vulnerable plugin until a fix is released
- Implement WAF rules to block path traversal and LFI attack patterns
- Review server logs for evidence of prior exploitation attempts
- Restrict file permissions on sensitive configuration files to limit impact of potential exploitation
Patch Information
Organizations should monitor the Patchstack Vulnerability Report for the latest patch information and security updates. Ensure that all WordPress plugins are kept up to date and regularly audit installed plugins for known vulnerabilities.
Workarounds
- Disable the Premium Addons for KingComposer plugin until a security patch is available
- Implement server-level restrictions using open_basedir in PHP configuration to limit file access scope
- Deploy a WAF with rules specifically targeting LFI and path traversal attacks
- Use WordPress security plugins to add an additional layer of protection against file inclusion attacks
- Consider migrating to alternative page builder addons that have a stronger security track record
# PHP configuration hardening example
# Add to php.ini or .htaccess to restrict file access scope
php_value open_basedir "/var/www/html:/tmp"
# Disable dangerous PHP functions
php_value disable_functions "include_once,require_once,include,require"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
