Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64360

CVE-2025-64360: Consulting Elementor Widgets LFI Vulnerability

CVE-2025-64360 is a PHP local file inclusion vulnerability in StylemixThemes Consulting Elementor Widgets that allows attackers to include unauthorized files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-64360 Overview

CVE-2025-64360 is a PHP Local File Inclusion (LFI) vulnerability affecting the Consulting Elementor Widgets plugin developed by StylemixThemes. The vulnerability stems from improper control of filename parameters used in PHP include/require statements, allowing attackers to include arbitrary local files from the server. This can lead to sensitive data exposure, including configuration files, database credentials, and other critical system information.

Critical Impact

Unauthenticated attackers can exploit this vulnerability remotely to read sensitive files from the WordPress server, potentially exposing database credentials, API keys, and other confidential information.

Affected Products

  • StylemixThemes Consulting Elementor Widgets versions up to and including 1.4.2
  • WordPress installations with the consulting-elementor-widgets plugin active
  • Sites running vulnerable versions without proper file access restrictions

Discovery Timeline

  • 2025-10-31 - CVE-2025-64360 published to NVD
  • 2026-01-20 - Last updated in NVD database

Technical Details for CVE-2025-64360

Vulnerability Analysis

This vulnerability falls under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The Consulting Elementor Widgets plugin fails to properly sanitize user-controlled input before using it in PHP file inclusion operations. An attacker can manipulate filename parameters to traverse directories and include arbitrary local files from the server's filesystem.

The network-based attack vector means exploitation can occur remotely without requiring any user interaction or authentication. When successfully exploited, attackers gain read access to sensitive files on the server, potentially leading to credential theft, further system compromise, or data breaches.

Root Cause

The root cause lies in insufficient input validation and sanitization of user-supplied filename parameters within the plugin. The vulnerable code accepts user input that is subsequently used in PHP include() or require() statements without properly restricting the file path to safe directories. This allows path traversal sequences (such as ../) to escape the intended directory and access files elsewhere on the filesystem.

Attack Vector

The vulnerability is exploited via network-based requests to the WordPress installation running the vulnerable plugin. Attackers craft malicious requests containing path traversal sequences to include sensitive local files. Common targets include:

  • /etc/passwd - System user information
  • wp-config.php - WordPress database credentials
  • .htaccess files - Server configuration
  • Log files containing sensitive information

Since no authentication is required and the attack complexity is low, this vulnerability presents a significant risk to affected WordPress installations. The attack can be performed by sending specially crafted HTTP requests to endpoints exposed by the Consulting Elementor Widgets plugin.

Detection Methods for CVE-2025-64360

Indicators of Compromise

  • Unusual HTTP requests containing path traversal sequences (../, ..%2f, ..%252f) targeting the Consulting Elementor Widgets plugin endpoints
  • Web server access logs showing repeated requests with file inclusion patterns
  • Unexpected file access patterns in PHP logs indicating attempts to read sensitive files
  • Error messages in WordPress debug logs related to file inclusion failures

Detection Strategies

  • Monitor web application firewall (WAF) logs for path traversal attack patterns targeting WordPress plugin directories
  • Implement intrusion detection rules to alert on requests containing ../ sequences in plugin-related parameters
  • Audit WordPress plugin installations and verify Consulting Elementor Widgets version is not vulnerable
  • Review server access logs for requests targeting consulting-elementor-widgets endpoints with unusual parameters

Monitoring Recommendations

  • Enable detailed logging for the WordPress installation to capture all plugin-related requests
  • Configure security monitoring tools to alert on file inclusion attack signatures
  • Set up file integrity monitoring for critical WordPress configuration files
  • Implement real-time alerting for any successful access to sensitive files outside normal operation

How to Mitigate CVE-2025-64360

Immediate Actions Required

  • Update the Consulting Elementor Widgets plugin to a patched version above 1.4.2 if available
  • If no patch is available, consider temporarily deactivating the consulting-elementor-widgets plugin until a fix is released
  • Implement web application firewall (WAF) rules to block path traversal attempts
  • Review server logs for any signs of prior exploitation attempts
  • Restrict PHP file access permissions to limit the impact of potential LFI attacks

Patch Information

Consult the Patchstack WordPress Plugin Vulnerability Database for the latest patch information and remediation guidance from StylemixThemes. Monitor the WordPress plugin repository for updates to the Consulting Elementor Widgets plugin.

Workarounds

  • Implement WAF rules to block requests containing path traversal sequences targeting the plugin
  • Use PHP open_basedir directive to restrict file access to the WordPress installation directory
  • Consider implementing additional input validation at the web server level using mod_security or similar tools
  • Temporarily disable the plugin functionality until a patch is available
  • Restrict access to the WordPress admin area to trusted IP addresses
bash
# Example .htaccess rules to block path traversal attempts
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\.\./|\.\.%2f|\.\.%252f) [NC,OR]
    RewriteCond %{REQUEST_URI} (\.\./|\.\.%2f|\.\.%252f) [NC]
    RewriteRule .* - [F,L]
</IfModule>

# PHP open_basedir restriction (add to php.ini or .user.ini)
# open_basedir = /var/www/html/wordpress:/tmp

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.