CVE-2025-47653: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion (LFI) vulnerability has been identified in WP-Recall WordPress plugin, tracked as CVE-2025-47653. The vulnerability affects versions through 16.26.14 and is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability. This security issue was discovered and reported on May 7, 2025 (NVD, Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper control of filename for include/require statements in PHP, specifically in the tggfref WP-Recall plugin component (NVD, Wiz).

The vulnerability could allow a malicious actor to include local files of the target website and display their contents. This could potentially lead to exposure of sensitive information, including database credentials, which might result in complete database compromise depending on the system configuration (Patchstack).

As of the disclosure date, no official fix has been released for this vulnerability. Given the potential impact, website administrators running affected versions of WP-Recall should consider implementing additional security controls to restrict file inclusion capabilities (Wiz).