CVE-2025-49036: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-49036) was discovered in the Premium Addons for KingComposer WordPress plugin affecting versions up to 1.1.1. The vulnerability was initially reported by Nguyen Xuan Chien on August 6, 2025, and was publicly disclosed on August 11, 2025. This security flaw stems from improper control of filename for Include/Require statements in PHP programs (Patchstack, NVD).

The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It received a CVSS v3.1 score of 8.1 (High), with the following vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely, requires no privileges, and can potentially lead to high impacts on confidentiality, integrity, and availability (NVD, Patchstack).

The vulnerability could allow malicious actors to include local files of the target website and display their contents. This could potentially expose sensitive information such as database credentials, leading to complete database compromise depending on the configuration. The software is considered abandoned, having not been updated for over a year, which increases the security risk (Patchstack).

As no official fix is currently available, the recommended mitigation strategies include either removing and replacing the software or implementing virtual patching. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Deactivating the software alone does not remove the security threat unless a virtual patch is deployed (Patchstack).