CVE-2025-24685 HIGH

CVE-2025-24685: WordPress Morkva UA Shipping plugin <= 1.0.18 - Local File Inclusion vulnerability

Vendor Ihor Kit
Product Morkva UA Shipping
Weakness CWE-35
Published January 27, 2025
Last update April 28, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Path Traversal: '.../...//' vulnerability in Ihor Kit Morkva UA Shipping morkva-ua-shipping allows PHP Local File Inclusion.This issue affects Morkva UA Shipping: from n/a through <= 1.0.18.

Explanation of Vulnerability in Simple Terms

02Summary

Morkva UA Shipping versions up to 1.0.18 contain a vulnerability that allows an attacker to read sensitive data, modify site content, or disrupt service availability. The vulnerability requires network access and high attack complexity but no authentication. The exact nature of the flaw is unclear due to incomplete vulnerability classification data.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify site content, or disrupt service availability without authentication.

Potential impact on your site

04Site Impact

If your site uses Morkva UA Shipping ≤1.0.18, an attacker could compromise data confidentiality, integrity, or availability.

Conditions required to exploit

05Prerequisites

Network access; no user authentication required, but attack complexity is high.

Key dates

06Disclosure timeline

January 27, 2025 CVE published
April 28, 2026 Record updated