CVE-2025-39461: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2025-39461) is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, also known as PHP Local File Inclusion, affecting the Nawawi Jamili Docket Cache WordPress plugin versions through 24.07.02. The vulnerability was discovered by Dimas Maulana and publicly disclosed on April 17, 2025 (NVD, Patchstack).

The vulnerability is classified as a Local File Inclusion (LFI) issue with a CVSS v3.1 base score of 7.5 (High). The CVSS vector string is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating that the vulnerability can be exploited remotely, requires no privileges, but does need user interaction (Patchstack).

If exploited, this vulnerability could allow an attacker to include local files of the target website and display their contents. This could potentially expose sensitive information such as database credentials, depending on the server configuration, which could lead to complete database takeover (Patchstack).

The vulnerability has been fixed in version 24.07.03 of the Docket Cache plugin. Users are advised to update to this version or later to remove the vulnerability. For sites using Patchstack, automatic updates can be enabled for vulnerable plugins (Patchstack).