CVE-2025-39396: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-39396) was discovered in Crocoblock's JetReviews WordPress plugin, affecting versions through 2.3.6. The vulnerability was identified and published on May 19, 2025, and is classified as a PHP Remote File Inclusion vulnerability, specifically related to improper control of filename for include/require statements in PHP programs (NVD, Wiz).

The vulnerability is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It has received a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with high attack complexity, low privileges required, and no user interaction needed (NVD, Wiz).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configuration files, could be exposed, potentially leading to complete database takeover depending on the system configuration (Patchstack).

The vulnerability has been patched in version 2.3.7 of the JetReviews plugin. Users are advised to update to version 2.3.7 or later to remediate the security issue (Patchstack).