CVE-2025-47439: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-47439) was discovered in WP Chill Download Monitor WordPress plugin versions through 5.0.22. The vulnerability was disclosed on May 7, 2025, and is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability. The issue has received a CVSS v3.1 base score of 7.5 (HIGH) (Wiz, NVD).

The vulnerability is categorized as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely, requires high attack complexity, needs low privileges, and can result in high impacts to confidentiality, integrity, and availability (NVD).

The vulnerability could allow a malicious actor with contributor-level privileges or higher to include local files of the target website and display their contents. This could potentially lead to exposure of sensitive information, including database credentials, which depending on the configuration could result in complete database compromise (Patchstack).

The vulnerability has been fixed in Download Monitor version 5.0.23. Users are advised to update to this version or later to remediate the security issue. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).