CVE-2025-22656: 
WordPress vulnerability analysis and mitigation

The Cookie Monster WordPress plugin versions through 1.2.2 contains a Local File Inclusion vulnerability (CVE-2025-22656). This security flaw was discovered and reported by researcher LVT-tholv2k, and was publicly disclosed on February 3, 2025. The vulnerability affects the Oscar Alvarez Cookie Monster plugin and allows for PHP Local File Inclusion attacks (Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. It is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The vulnerability can be exploited without authentication, making it particularly dangerous (Patchstack).

This Local File Inclusion vulnerability could allow malicious actors to include and display local files from the target website. Particularly sensitive files containing credentials, such as database configuration files, could be exposed, potentially leading to complete database compromise depending on the server configuration (Patchstack).

Currently, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement these mitigations immediately (Patchstack).