CVE-2025-48302: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability was discovered in the WordPress FundEngine Plugin (versions <= 1.7.4), identified as CVE-2025-48302. The vulnerability was reported by security researcher Peter Thaleikis and publicly disclosed on August 8, 2025. This security flaw affects the WordPress plugin FundEngine, which is a donation and crowdfunding platform (Patchstack, Wordfence).

The vulnerability has been assigned a CVSS score of 7.5 (High), indicating its significant severity. The security flaw is classified as a Local File Inclusion vulnerability, which falls under the OWASP Top 10 category A3: Injection. The vulnerability requires Subscriber-level privileges or higher to exploit (Patchstack).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents. Particularly concerning is the potential access to files containing sensitive information such as database credentials, which could lead to a complete database compromise depending on the server configuration (Patchstack).

The vulnerability has been fixed in version 1.7.5 of the FundEngine plugin. Website administrators are strongly advised to update to version 1.7.5 or later immediately. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).