CVE-2025-52809

Vulnerability

Description The National Weather Service Alerts plugin for WordPress versions up to and including 1.3.5 suffers from a PHP Local File Inclusion (LFI) vulnerability. The root cause is improper control of a filename used in a PHP include/require statement, classified as CWE-98. This allows an attacker to control the path of an included file, leading to unauthorized file inclusion [1].

Exploitation

To exploit this vulnerability, an attacker must be able to send crafted requests to a WordPress site running the vulnerable plugin. No authentication is required; however, the attack vector is network-based (via HTTP). The LFI occurs because the plugin does not properly sanitize user-supplied input used in file inclusion operations, allowing the inclusion of arbitrary local files from the server's filesystem [1].

Impact

Successful exploitation could allow an attacker to read sensitive local files on the target website, such as configuration files containing database credentials. Depending on the site configuration, this could lead to complete database compromise. The CVSS v3 base score is 8.1, indicating a high severity. This vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns, targeting thousands of websites at once [1].

Mitigation

The vendor has not released a patch, and users are strongly advised to update the affected plugin immediately. If updating is not possible, users should contact their hosting provider or web developer for assistance. Administrators should review site files for signs of compromise and consider implementing Web Application Firewall (WAF) rules to block path traversal attempts [1].