CVE-2025-49271: 
WordPress vulnerability analysis and mitigation

CVE-2025-49271 is a Local File Inclusion vulnerability discovered in GravityWP - Merge Tags WordPress plugin affecting versions up to 1.4.4. The vulnerability was discovered by Nguyen Xuan Chien and publicly disclosed on August 8, 2025. This security flaw allows unauthenticated attackers to perform PHP Local File Inclusion attacks (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The security flaw is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The vulnerability allows PHP Local File Inclusion through the plugin's functionality (Patchstack).

This vulnerability could allow malicious actors to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configuration files, could be exposed, potentially leading to complete database compromise depending on the server configuration (Patchstack).

The vulnerability has been patched in version 1.4.5 of the GravityWP - Merge Tags plugin. Users are strongly advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).