CVE-2025-31014
📋 TL;DR
This vulnerability allows attackers to include local files on the server through PHP's include/require statements, potentially leading to sensitive information disclosure or code execution. It affects all WordPress installations using Material Dashboard plugin versions up to 1.4.5.
💻 Affected Systems
- Material Dashboard WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or website defacement
Likely Case
Sensitive file disclosure including configuration files, database credentials, or user data
If Mitigated
Limited impact if file permissions are restrictive and web server runs with minimal privileges
🎯 Exploit Status
Simple HTTP requests can trigger the vulnerability without authentication
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.6 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Material Dashboard plugin
4. Click 'Update Now' if available
5. If no update available, deactivate and delete plugin
6. Install latest version from WordPress repository
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Material Dashboard plugin until patched
wp plugin deactivate material-dashboard
Restrict PHP file functions
allUse PHP configuration to disable dangerous functions
Add 'disable_functions = include,require' to php.ini
🧯 If You Can't Patch
- Implement web application firewall rules to block file inclusion patterns
- Restrict web server permissions to prevent reading sensitive files
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Material Dashboard versionCheck Version:
wp plugin get material-dashboard --field=versionVerify Fix Applied:
Confirm plugin version is 1.4.6 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual file paths in PHP error logs
- Multiple requests to plugin files with path traversal parameters
Network Indicators:
- HTTP requests containing '../' or absolute paths in query parameters
- Requests to wp-content/plugins/material-dashboard/ with unusual parameters
SIEM Query:
source="web_logs" AND (uri="*material-dashboard*" AND (query="*../*" OR query="*/etc/*" OR query="*C:*"))