CVE-2025-48302
📋 TL;DR
This vulnerability allows attackers to include local files on the server through improper filename control in PHP's include/require statements. It affects all FundEngine (WordPress plugin) installations from unknown versions through 1.7.4, potentially leading to sensitive information disclosure or remote code execution.
💻 Affected Systems
- WordPress FundEngine plugin (also called Roxnor FundEngine)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data exfiltration, and lateral movement within the network.
Likely Case
Local file inclusion allowing reading of sensitive files like configuration files, password files, or source code, potentially leading to credential theft.
If Mitigated
Limited file access within web root directory if proper file permissions and PHP security settings are configured.
🎯 Exploit Status
Exploitation typically involves manipulating URL parameters to include local files like /etc/passwd or PHP session files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.5 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'FundEngine' or 'WP Fundraising Donation'. 4. Click 'Update Now' if available. 5. If no update available, download version 1.7.5+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable functionality
allTemporarily disable the FundEngine plugin until patched
wp plugin deactivate fundengine
Web Application Firewall rule
allBlock requests containing local file inclusion patterns
WAF-specific configuration to block patterns like '..', '/etc/', 'php://' in URL parameters
🧯 If You Can't Patch
- Implement strict input validation on all user-controlled parameters used in include/require statements
- Set open_basedir restriction in php.ini to limit accessible directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → FundEngine version. If version is 1.7.4 or earlier, you are vulnerable.Check Version:
wp plugin get fundengine --field=versionVerify Fix Applied:
Confirm plugin version is 1.7.5 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with suspicious parameters containing '..', '/etc/', or other directory traversal patterns
- Multiple failed attempts to access sensitive file paths
Network Indicators:
- Unusual GET/POST requests to FundEngine endpoints with file path parameters
- Traffic spikes to sensitive file paths
SIEM Query:
source="web_server_logs" AND (uri="*..*" OR uri="*/etc/*" OR uri="*php://*") AND user_agent="*"