CVE-2025-58608 HIGH

CVE-2025-58608: WordPress MediaPress Plugin <= 1.5.9.1 - Local File Inclusion Vulnerability

Vendor Buddydev

Product MediaPress

Weakness CWE-98 · PHP file inclusion

Published September 3, 2025

Last update May 13, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BuddyDev MediaPress mediapress allows PHP Local File Inclusion.This issue affects MediaPress: from n/a through <= 1.5.9.1.

Explanation of Vulnerability in Simple Terms

02Summary

MediaPress versions up to 1.5.9.1 contain a code injection vulnerability that allows authenticated users with low privileges to execute arbitrary code on the site. The vulnerability requires specific attack conditions to be met but grants full control over the affected system once exploited. Update to version 1.6.3 or later to remediate.

What an attacker can do

03Attacker Capabilities

Run arbitrary code on the site with the privileges of the web server.

Potential impact on your site

04Site Impact

A low-privilege user account can be leveraged to compromise the entire site and access sensitive data.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site; specific attack conditions must be met.

Key dates

06Disclosure timeline

September 3, 2025 CVE published

May 13, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-58608 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/98.html

Related vulnerabilities