CVE-2025-46474: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-46474) was discovered in the WordPress SEUR Oficial plugin affecting versions up to 2.2.23. The vulnerability was reported on April 13, 2025, and publicly disclosed on April 25, 2025. This security flaw involves improper control of filename for include/require statements in PHP programs (Patchstack Database, CVE Mitre).

The vulnerability is classified as a Local File Inclusion (LFI) issue with a Critical CVSS score of 8.1. It falls under the OWASP Top 10 category A3: Injection. The vulnerability can be exploited without authentication, making it particularly dangerous (Patchstack Database).

This vulnerability could allow malicious actors to include and display local files from the target website. Particularly concerning is the potential access to sensitive files containing credentials, such as database configuration files, which could lead to complete database compromise depending on the server configuration (Patchstack Database).

The vulnerability has been patched in version 2.2.24 of the SEUR Oficial plugin. Users are strongly advised to update to this version or later immediately. For temporary mitigation, Patchstack has issued a virtual patch to block potential attacks until users can update to the fixed version (Patchstack Database).