CVE-2025-60202
📋 TL;DR
This vulnerability allows attackers to include local files on the server through improper filename control in PHP's include/require statements. It affects WordPress sites using the Favorites plugin versions up to and including 2.3.6, potentially leading to sensitive information disclosure or code execution.
💻 Affected Systems
- WordPress Favorites Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through Local File Inclusion leading to Remote Code Execution, allowing attackers to read sensitive files like /etc/passwd, database credentials, or execute arbitrary PHP code.
Likely Case
Sensitive file disclosure including configuration files, user data, or source code, potentially leading to further attacks.
If Mitigated
Limited impact if file permissions are properly configured and sensitive files are not accessible via web server user.
🎯 Exploit Status
Simple LFI exploitation typically requires minimal technical skill. Public exploit details available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.7 or later
Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/favorites/vulnerability/wordpress-favorites-plugin-2-3-6-local-file-inclusion-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Favorites' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.3.7+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the Favorites plugin until patched
wp plugin deactivate favorites
Restrict File Access
linuxConfigure web server to restrict access to sensitive directories and files
# In Apache: <Directory /path/to/sensitive> Require all denied </Directory>
# In Nginx: location ~ /\.(ht|env|config) { deny all; }
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block LFI patterns and suspicious file inclusion attempts
- Apply principle of least privilege to web server user account and restrict file system access
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Favorites plugin version. If version is 2.3.6 or earlier, system is vulnerable.Check Version:
wp plugin get favorites --field=versionVerify Fix Applied:
Verify plugin version is 2.3.7 or later in WordPress admin panel. Test functionality to ensure plugin still works correctly.📡 Detection & Monitoring
Log Indicators:
- Unusual file path patterns in access logs (e.g., ../../../etc/passwd)
- Multiple 404 errors for non-existent plugin files with path traversal sequences
- PHP warnings about failed file inclusions
Network Indicators:
- HTTP requests containing path traversal sequences (../) to plugin endpoints
- Requests for known sensitive files through plugin parameters
SIEM Query:
source="web_access_logs" AND (uri="*../*" OR uri="*/etc/*" OR uri="*config*" OR uri="*.env*") AND user_agent!="*bot*"