CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-31340

CVSS 9.9v4.0pub. 2025-04-17upd. 2026-04-15

A improper control of filename for include/require statement in PHP program vulnerability in the retrieve course Information function of Wisdom Master Pro versions 5.0 through 5.2 allows remote attackers to perform arbitrary system commands by running a malicious file.

🤖 AI Analysis
How it works

The application improperly validates the filename passed to the include or require statement in PHP as part of the course information retrieval function. An attacker without any authentication can provide a path to a malicious file (local or remote) which will then be loaded and executed by the PHP interpreter. As a result, it is possible to execute arbitrary system commands on the server.

Impact

An attacker can gain full control over the server — execute arbitrary system commands, read or modify application data, and potentially take control of the infrastructure on which the application runs.

Mitigation & patch

Apply patches available from the vendor according to the references (https://zuso.ai/advisory/za-2025-03). Until the fix is deployed, it is recommended to restrict access to vulnerable application functions at the firewall or web server level and disable the allow_url_include directive in PHP configuration.

Who is affected

Wisdom Master Pro in versions 5.0 to 5.2 (inclusive)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References