CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-48293

CVSS 9.8v3.1pub. 2025-08-14upd. 2026-04-23

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allows PHP Local File Inclusion.This issue affects Geo Mashup: from n/a through <= 1.13.16.

🤖 AI Analysis
How it works

The vulnerability results from improper file name validation in PHP include/require instructions (CWE-98). An attacker can manipulate input parameters in such a way that the application includes and executes an arbitrary local PHP file on the server. Authentication or user interaction is not required, and the attack is possible directly over the network.

Impact

An attacker can gain full access to sensitive data on the server, modify website content, or cause it to become unavailable. In favorable circumstances, remote code execution (RCE) on the target server is also possible.

Mitigation & patch

Patches available from the vendor should be applied according to the references — update the Geo Mashup plugin to a version higher than 1.13.16 immediately after release by the author or WordPress repository.

Who is affected

Geo Mashup plugin by Dylan Kuhn for WordPress in versions from n/a to 1.13.16 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References