CVE-2025-58024

Vulnerability

An Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, also known as PHP Remote File Inclusion, exists in the UnboundStudio Accordion FAQ plugin. This vulnerability allows for PHP Local File Inclusion. It affects Accordion FAQ versions from n/a through 2.2.1 [1].

Exploitation

An attacker can exploit this vulnerability by including local files from the target website. The exact steps and required conditions, such as network position or authentication, are not detailed in the available references, but the vulnerability allows for the inclusion of local files [1].

Impact

Successful exploitation allows a malicious actor to include local files of the target website and display their content. This could lead to the disclosure of sensitive information, such as database credentials, potentially enabling a complete database takeover depending on the server's configuration [1].

Mitigation

It is recommended to update the affected Accordion FAQ plugin to a version later than 2.2.1. If an update is not immediately possible, users should seek assistance from their hosting provider or web developer. Information regarding a specific fixed version release date or if the plugin is end-of-life is not yet disclosed in the available references [1].