CVE-2025-23948: 
WordPress vulnerability analysis and mitigation

The Background animation blocks WordPress plugin contains a Local File Inclusion (LFI) vulnerability, identified as CVE-2025-23948. This vulnerability affects versions up to and including 2.1.5 of the plugin. The issue was discovered by researcher LVT-tholv2k and was publicly disclosed on January 16, 2025 (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'). It has received a CVSS v3.1 base score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is tracked under CWE-98 (NVD).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configuration files, could be exposed, potentially leading to complete database compromise depending on the system configuration (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Users are advised to implement mitigation measures immediately (Patchstack).