CVE-2025-46454: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-46454) was discovered in the WordPress Meta Keywords & Description plugin affecting versions up to 0.8. The vulnerability was reported by researcher Nguyen Xuan Chien and was publicly disclosed on April 28, 2025. This security flaw is related to improper control of filename for include/require statements in PHP programs (Wiz, Patchstack).

The vulnerability is classified as a PHP Remote File Inclusion issue, specifically affecting the file handling mechanisms within the Meta Keywords & Description plugin. It has received a CVSS v3.1 score of 7.5 (High), with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is characterized by Network attack vector, High attack complexity, No privileges required, and Required user interaction (Patchstack).

This vulnerability could allow malicious actors to include and access local files of the target website and display their contents. Of particular concern is the potential access to sensitive files containing credentials, such as database configuration files, which could lead to complete database compromise depending on the server configuration (Patchstack).

As of May 2025, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement immediate mitigation measures or consider using virtual patching solutions (Patchstack).