CVE-2025-39592: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-39592) was discovered in WP Shuffle Subscribe to Unlock Lite WordPress plugin affecting versions up to 1.3.0. The vulnerability was reported by security researcher LVT-tholv2k on March 10, 2025, and was publicly disclosed by Patchstack on April 16, 2025 (Patchstack Database).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability (CWE-98). It has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires Contributor level privileges or higher to exploit (Patchstack Database).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents. Of particular concern is the potential access to files containing sensitive information such as database credentials, which could lead to a complete database takeover depending on the server configuration (Patchstack Database).

The vulnerability has been fixed in version 1.3.1 of the Subscribe to Unlock Lite plugin. Users are advised to update to version 1.3.1 or later to remove the vulnerability. Patchstack users have the additional option to enable auto-updates for vulnerable plugins (Patchstack Database).