CVE-2025-28998: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-28998) was discovered in the SERPed.net WordPress plugin versions 4.6 and below. The vulnerability was reported on June 25, 2025, and publicly disclosed on June 27, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, affecting the SERPed.net plugin through version 4.6 (Patchstack, NVD).

The vulnerability is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It has received a CVSS v3.1 base score of 8.1 (High), with the following vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely, requires no privileges or user interaction, but has high attack complexity (Patchstack).

The vulnerability allows malicious actors to include local files of the target website and display their contents. This could potentially lead to the exposure of sensitive information, including database credentials, which might result in complete database compromise depending on the system configuration (Patchstack).

Users are strongly advised to update to version 4.7 or later of the SERPed.net plugin to resolve this vulnerability. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied. The auto-update feature for vulnerable plugins can be enabled for Patchstack users (Patchstack).