CVE-2025-3703: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-3703) was discovered in the WordPress CSS & JavaScript Toolbox plugin developed by Wipeout Media. The vulnerability affects versions prior to 12.0.3 and was discovered by Martin Herancourt on May 26, 2025. The issue was officially published on July 22, 2025, and received a CVSS score of 7.5 (High) (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program, specifically a PHP Local File Inclusion vulnerability. It has been assigned a high severity CVSS score of 7.5, indicating significant potential impact. The vulnerability requires subscriber-level privileges to exploit (Patchstack).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents on the screen. Of particular concern is the potential access to files containing sensitive information such as database credentials, which could lead to a complete database takeover depending on the system configuration (Patchstack).

The vulnerability has been patched in version 12.0.3 of the WordPress CSS & JavaScript Toolbox plugin. Users are strongly advised to update to version 12.0.3 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users can update to the fixed version (Patchstack).