First published: Sat May 10 2025(Updated: )
The WordPress Review Plugin: The Ultimate Solution for Building a Review Website plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.3.5 via the Post custom fields. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP file types can be uploaded and included, or pearcmd is enabled on a server with register_argc_argv also enabled.
Credit: security@wordfence.com
Affected Software | Affected Version | How to fix |
---|---|---|
WordPress Review Plugin | <=5.3.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2025-2158 has a moderate severity level, allowing authenticated attackers to exploit Local File Inclusion vulnerabilities.
To fix CVE-2025-2158, update the WordPress Review Plugin to version 5.3.6 or later.
All users of the WordPress Review Plugin: The Ultimate Solution for Building a Review Website up to version 5.3.5 are affected by CVE-2025-2158.
Exploiting CVE-2025-2158 could allow an authenticated user to execute arbitrary files on the server.
CVE-2025-2158 was disclosed in 2025 as a vulnerability affecting all versions up to and including 5.3.5.