CVE-2025-26985: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-26985) was discovered in the WordPress Majestic Support plugin affecting versions through 1.0.6. The vulnerability was initially reported by security researcher Trương Hữu Phúc on February 5, 2025, and was publicly disclosed on February 23, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (Patchstack).

The vulnerability is categorized as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It received a CVSS v3.1 base score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that it can be exploited remotely without requiring authentication or user interaction (NVD, Patchstack).

The vulnerability allows malicious actors to include and access local files on the target website, potentially exposing sensitive information. Of particular concern is the potential access to files containing credentials, such as database configuration files, which could lead to complete database compromise depending on the server configuration (Patchstack).

The vulnerability has been fixed in version 1.0.7 of the Majestic Support plugin. Website administrators are strongly advised to update to this version or later immediately. For users of Patchstack, a virtual patch has been issued to mitigate the vulnerability by blocking potential attacks until the update can be applied (Patchstack).