WordPress Plugin Vulnerabilities

Custom Field List Widget <= 1.5.1 - Unauthenticated Local File Inclusion

Description

The Custom Field List Widget plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Affects Plugins

Plugin icon
custom-field-list-widget
No known fix

References

CVE
CVE-2025-23952
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9f130158-8c68-4a39-a94b-1f0ce81b1799

Classification

Type
RFI
OWASP top 10
A1: Injection
CWE
CWE-98
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
LVT-tholv2k
Verified
No
WPVDB ID
82b6d784-4e63-4537-981c-f9109e0d2b3d

Timeline

Publicly Published
2025-03-17 (about 1 year ago)
Added
2025-03-25 (about 1 year ago)
Last Updated
2025-03-25 (about 1 year ago)

Other

Published
Title
Published
2025-09-04
Title
Exit Game <= 1.4.3 - Unauthenticated Local File Inclusion
Published
2025-06-12
Title
School Management <= 93.0.0 - Authenticated (Student+) Local File Inclusion
Published
2025-06-11
Title
Simen <= 4.6 - Unauthenticated Local File Inclusion
Published
2025-05-07
Title
Display Eventbrite Events < 6.3 - Authenticated (Contributor+) Local File Inclusion
Published
2025-04-04
Title
EventON < 2.4.2 - Contributor+ Local File Inclusion