Service Shogun Ach Invoice App Plugin up to 1.0.1 on WordPress Include/Require filename control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.3 | $0-$5k | 0.00 |
Summary
A vulnerability marked as problematic has been reported in Service Shogun Ach Invoice App Plugin up to 1.0.1 on WordPress. The impacted element is the function Include/Require. This manipulation causes filename control.
The identification of this vulnerability is CVE-2025-22364. It is possible to initiate the attack remotely. There is no exploit available.
Details
A vulnerability classified as problematic was found in Service Shogun Ach Invoice App Plugin up to 1.0.1 on WordPress. Affected by this vulnerability is the function Include/Require. The manipulation with an unknown input leads to a filename control vulnerability. The CWE definition for the vulnerability is CWE-98. The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Service Shogun Ach Invoice App allows PHP Local File Inclusion.This issue affects Ach Invoice App: from n/a through 1.0.1.
The weakness was shared by Tahu.datar. It is possible to read the advisory at patchstack.com. This vulnerability is known as CVE-2025-22364 since 01/03/2025. The exploitation appears to be easy. The attack can be launched remotely. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit.
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Type
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.5VulDB Meta Temp Score: 5.3
VulDB Base Score: 5.5
VulDB Temp Score: 5.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Filename controlCWE: CWE-98
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Timeline
01/03/2025 🔍01/07/2025 🔍
01/07/2025 🔍
02/15/2025 🔍
Sources
Advisory: patchstack.comResearcher: Tahu.datar
Status: Not defined
CVE: CVE-2025-22364 (🔍)
GCVE (CVE): GCVE-0-2025-22364
GCVE (VulDB): GCVE-100-290539
Entry
Created: 01/07/2025 14:54Updated: 02/15/2025 07:33
Changes: 01/07/2025 14:54 (21), 01/07/2025 14:57 (34), 02/15/2025 07:33 (3)
Complete: 🔍
Committer: sany
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.