CVE-2025-4414
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows PHP Local File Inclusion.This issue affects CMSMasters Content Composer: from n/a through < 2.5.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper filename control in CMSMasters Content Composer plugin (< 2.5.7) allows local file inclusion, risking credential exposure and database takeover.
Vulnerability
Description The CMSMasters Content Composer plugin for WordPress suffers from a PHP Local File Inclusion vulnerability due to improper control of filenames in include/require statements. Versions prior to 2.5.7 allow an attacker to specify a file path that is then included and executed or displayed [1].
Exploitation
An attacker can craft a malicious request to the vulnerable plugin, potentially without authentication, to include arbitrary local files from the server. The attack can be performed remotely, making it accessible to any unauthenticated user [1].
Impact
Successful exploitation enables the attacker to read sensitive files, such as wp-config.php which contains database credentials. This could lead to complete database takeover depending on the server configuration and the attacker's subsequent actions [1].
Mitigation
The vendor has released version 2.5.7 which patches the vulnerability. Users are strongly urged to update immediately. Alternatively, Patchstack provides a mitigation rule to block attacks until the update is applied [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: < 2.5.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.