Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68905

CVE-2025-68905: JNews Pay Writer LFI Vulnerability

CVE-2025-68905 is a PHP local file inclusion vulnerability in JNews Pay Writer plugin that allows attackers to include unauthorized files. This article covers technical details, affected versions up to 11.0.0, and mitigation.

Published:

CVE-2025-68905 Overview

CVE-2025-68905 is a Local File Inclusion (LFI) vulnerability affecting the JNews - Pay Writer WordPress plugin developed by jegtheme. The vulnerability stems from improper control of filename for include/require statements in PHP (CWE-98), allowing attackers to include local files on the server through manipulated input parameters.

This vulnerability affects the jnews-pay-writer plugin through version 11.0.0, potentially enabling attackers to read sensitive files, execute arbitrary PHP code if combined with other techniques, or extract configuration data from the WordPress installation.

Critical Impact

Attackers can leverage this Local File Inclusion vulnerability to read sensitive server files, potentially exposing database credentials, API keys, and other confidential configuration data from the WordPress installation.

Affected Products

  • JNews - Pay Writer WordPress Plugin versions through 11.0.0
  • WordPress installations using the jnews-pay-writer plugin

Discovery Timeline

  • 2026-01-22 - CVE-2025-68905 published to NVD
  • 2026-01-22 - Last updated in NVD database

Technical Details for CVE-2025-68905

Vulnerability Analysis

This vulnerability is classified as Improper Control of Filename for Include/Require Statement in PHP Program, which allows PHP Local File Inclusion attacks. In PHP applications, the include(), require(), include_once(), and require_once() functions are used to incorporate external PHP files into the executing script. When user-controllable input is passed to these functions without proper validation or sanitization, attackers can manipulate the file path to include unintended local files.

The JNews - Pay Writer plugin fails to properly validate or sanitize user-supplied input before using it in file inclusion operations. This design flaw allows malicious actors to traverse directory structures and include arbitrary files from the server's filesystem.

Root Cause

The root cause of CVE-2025-68905 lies in insufficient input validation within the JNews - Pay Writer plugin. The vulnerable code path accepts user-controllable parameters that are subsequently used in PHP file inclusion statements without proper sanitization. This allows attackers to use directory traversal sequences (such as ../) or direct file paths to reference files outside the intended scope.

Common exploitation patterns for this type of vulnerability include:

  • Reading the WordPress wp-config.php file to extract database credentials
  • Accessing server configuration files like /etc/passwd on Linux systems
  • Including log files that may contain injected PHP code (log poisoning)
  • Reading plugin and theme source code to identify additional vulnerabilities

Attack Vector

The attack vector for this vulnerability involves sending crafted HTTP requests to the WordPress installation with manipulated parameters targeting the vulnerable file inclusion functionality in the JNews - Pay Writer plugin. An attacker would typically identify the vulnerable parameter and supply a path traversal sequence to include sensitive files.

For example, an attacker might manipulate a template or file path parameter to traverse out of the plugin directory and access files elsewhere on the server. When successful, the contents of the included file are either displayed to the attacker or executed as PHP code, depending on the file type and server configuration.

The vulnerability can be exploited remotely without authentication if the vulnerable endpoint is accessible to unauthenticated users. Technical details and proof-of-concept information may be available through the Patchstack Vulnerability Report.

Detection Methods for CVE-2025-68905

Indicators of Compromise

  • Unusual HTTP requests containing directory traversal patterns (../, ..%2f, %2e%2e/) targeting the JNews - Pay Writer plugin endpoints
  • Web server access logs showing requests with file path references to sensitive files like wp-config.php, /etc/passwd, or log files
  • Unexpected file access patterns in system audit logs indicating reads of configuration or sensitive files
  • Error messages in WordPress debug logs indicating failed file inclusion attempts

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect and block requests containing path traversal sequences targeting WordPress plugin directories
  • Monitor web server logs for requests to /wp-content/plugins/jnews-pay-writer/ containing suspicious path parameters
  • Deploy file integrity monitoring on critical WordPress files to detect unauthorized access or modifications
  • Enable and review WordPress debug logging for PHP inclusion errors or warnings

Monitoring Recommendations

  • Configure real-time alerting for HTTP requests containing encoded or unencoded directory traversal patterns
  • Establish baseline access patterns for plugin files and alert on anomalous access attempts
  • Monitor for unexpected PHP process file access to sensitive configuration files
  • Review web application logs regularly for patterns indicative of LFI exploitation attempts

How to Mitigate CVE-2025-68905

Immediate Actions Required

  • Update the JNews - Pay Writer plugin to a patched version when available from the vendor
  • If no patch is available, consider temporarily disabling the jnews-pay-writer plugin until a fix is released
  • Implement WAF rules to block path traversal attempts targeting the vulnerable plugin
  • Review server logs for evidence of exploitation attempts
  • Restrict file system permissions to limit the impact of potential LFI attacks

Patch Information

Organizations should monitor the official JNews marketplace and the Patchstack Vulnerability Report for patch availability. When a patched version becomes available, update immediately through the WordPress admin panel or by manually replacing plugin files.

Verify the plugin version after updating by checking wp-content/plugins/jnews-pay-writer/ for version information in the main plugin file header.

Workarounds

  • Temporarily deactivate and remove the JNews - Pay Writer plugin if it is not critical to site functionality
  • Implement server-side restrictions using open_basedir PHP directive to limit file access to the WordPress directory
  • Configure ModSecurity or similar WAF with rules to block LFI attempts targeting WordPress plugins
  • Use file permission hardening to ensure sensitive files like wp-config.php have restrictive permissions (e.g., 400 or 440)
  • Consider implementing a virtual patching solution through a WordPress security plugin until an official fix is available
bash
# Example: Restrict PHP open_basedir to WordPress directory
# Add to php.ini or .htaccess
php_admin_value open_basedir /var/www/html/wordpress/:/tmp/

# Example: Harden wp-config.php permissions
chmod 400 /var/www/html/wordpress/wp-config.php

# Example: ModSecurity rule to block path traversal
SecRule REQUEST_URI "@contains ../" "id:1001,phase:1,deny,status:403,msg:'Path traversal attempt blocked'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.