CVE-2025-22279: 
WordPress vulnerability analysis and mitigation

CVE-2025-22279 is a Local File Inclusion vulnerability discovered in Crocoblock JetCompareWishlist WordPress plugin affecting versions through 1.5.9. The vulnerability was discovered and reported by researcher stealthcopter, and was publicly disclosed on April 10, 2025 (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability. It has received a CVSS v3.1 base score of 7.5 (High) with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires Contributor-level privileges or higher to exploit (NVD).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configuration files, could potentially be exposed, which might lead to complete database compromise depending on the system configuration (Patchstack).

The vulnerability has been patched in version 1.5.10 of the JetCompareWishlist plugin. Users are advised to update to version 1.5.10 or later to remediate this security issue (Patchstack).