CVE-2021-25051: 
WordPress vulnerability analysis and mitigation

The Modal Window WordPress plugin before version 5.2.2 contains a critical vulnerability identified as CVE-2021-25051. The vulnerability was discovered in the wow-company admin menu page functionality, which allows for arbitrary file inclusion with PHP extension, including support for data:// or http:// protocols. The vulnerability was publicly disclosed on December 5, 2021, and was subsequently fixed in version 5.2.2 (WPScan).

The vulnerability is classified as a Remote File Inclusion (RFI) leading to Remote Code Execution (RCE) via Cross-Site Request Forgery (CSRF). It has been assigned a CVSS score of 8.4 (High) and is categorized under OWASP Top 10 A1: Injection and CWE-94. The vulnerability requires PHP's allow_url_include to be set to "On" to be exploitable (WPScan).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the affected system through remote file inclusion. The combination of RFI with CSRF makes this vulnerability particularly dangerous as it could potentially be triggered without direct user interaction (WPScan).

The recommended mitigation is to upgrade the Modal Window WordPress plugin to version 5.2.2 or later. If immediate upgrading is not possible, administrators should consider disabling the plugin until an update can be applied (WPScan).