CVE-2023-25995: 
WordPress vulnerability analysis and mitigation

The AI Mortgage Calculator WordPress plugin version 1.0.1 and earlier contains a Local File Inclusion vulnerability identified as CVE-2023-25995. The vulnerability was discovered by researcher 0x1ceKing and publicly disclosed on June 5, 2025. This security issue affects the choicehomemortgage AI Mortgage Calculator plugin through version 1.0.1 (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability. It has been assigned a CVSS v3.1 Base Score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is tracked under CWE-98 which relates to improper control of filename for include/require statements in PHP programs (NVD).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configuration files, could be exposed, potentially leading to complete database compromise depending on the system configuration (Patchstack).

Currently, there is no official fix available for this vulnerability. The issue affects all versions through 1.0.1, and no patched version has been released (Patchstack).