CVE-2025-64284 Overview
CVE-2025-64284 is a PHP Local File Inclusion (LFI) vulnerability in the Majestic Support WordPress plugin. The flaw stems from improper control of filename input passed to PHP include or require statements [CWE-98]. Authenticated attackers with low privileges can coerce the plugin into loading arbitrary local PHP files on the server. The issue affects all versions of Majestic Support up to and including 1.0.7. Successful exploitation can lead to disclosure of sensitive files, execution of attacker-controlled PHP, and full compromise of the WordPress installation.
Critical Impact
Authenticated attackers can include arbitrary local files in PHP execution context, potentially escalating to remote code execution on the underlying web server.
Affected Products
- Majestic Support WordPress plugin versions up to and including 1.0.7
- WordPress sites running the majestic-support plugin
- PHP environments where the plugin processes user-controlled include paths
Discovery Timeline
- 2025-10-29 - CVE-2025-64284 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-64284
Vulnerability Analysis
The vulnerability is classified as Improper Control of Filename for Include/Require Statement in PHP Program [CWE-98]. The Majestic Support plugin passes user-controllable input into a PHP include or require construct without sufficient validation. PHP evaluates the included file as code, so any local file the web server process can read may be executed within the plugin's request context. The Patchstack advisory identifies the issue as a Local File Inclusion rather than a remote inclusion flaw. The attack requires network access to the WordPress instance and low-privilege authenticated access.
Root Cause
The plugin accepts a filename or path parameter and concatenates it into an include/require call without restricting the value to an allowlist of expected files. Missing input sanitization permits traversal sequences and references to arbitrary readable files. Because PHP interprets included content as source code, files such as log entries, uploaded media, or session data can be turned into execution primitives.
Attack Vector
An authenticated attacker sends a crafted HTTP request to a plugin endpoint that controls the include path. The attacker references a local file using path traversal or a direct path. The plugin loads and executes the referenced file in the PHP interpreter, returning its output or side effects to the attacker. Chaining this with a writable log file or uploaded asset enables arbitrary PHP execution.
No verified public proof-of-concept code is currently available. Refer to the Patchstack Vulnerability Report for technical details.
Detection Methods for CVE-2025-64284
Indicators of Compromise
- HTTP requests to Majestic Support plugin endpoints containing path traversal sequences such as ../ or ..%2f
- Requests including absolute paths to system files like /etc/passwd, wp-config.php, or php:// wrappers in query parameters
- Unexpected PHP execution originating from wp-content/plugins/majestic-support/ referencing files outside the plugin directory
- New or modified PHP files in upload directories shortly after plugin endpoints are accessed
Detection Strategies
- Inspect web server access logs for parameter values containing directory traversal patterns or PHP stream wrappers targeting plugin URLs
- Deploy WordPress-aware web application firewall (WAF) rules that block include-path manipulation against the majestic-support plugin
- Monitor PHP error logs for include() or require() warnings referencing unexpected file paths
Monitoring Recommendations
- Alert on reads of sensitive files such as wp-config.php by the web server user immediately following plugin requests
- Track outbound HTTP connections initiated by PHP processes that could indicate post-exploitation activity
- Correlate authenticated session activity from low-privileged accounts with anomalous plugin parameter usage
How to Mitigate CVE-2025-64284
Immediate Actions Required
- Update the Majestic Support plugin to a version later than 1.0.7 once a fixed release is published by the vendor
- Disable or remove the majestic-support plugin until a patched version is verified in place
- Audit WordPress user accounts and revoke unnecessary low-privilege access that could be leveraged for exploitation
- Review web server and PHP logs for prior exploitation attempts referencing the plugin
Patch Information
Consult the Patchstack Vulnerability Report for the current patch status. Versions through 1.0.7 are confirmed vulnerable. Apply vendor updates as soon as a fixed release is available.
Workarounds
- Block requests to vulnerable plugin endpoints at the WAF or reverse proxy layer until the plugin is patched or removed
- Configure PHP open_basedir to restrict file access to the WordPress document root, limiting the scope of local file inclusion
- Set allow_url_include = Off and allow_url_fopen = Off in php.ini to prevent escalation to remote inclusion techniques
# Configuration example: restrict PHP file access via open_basedir
# Add to php.ini or virtual host configuration
php_admin_value open_basedir "/var/www/html:/tmp"
php_admin_flag allow_url_include off
php_admin_flag allow_url_fopen off
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

