CVE-2025-52809: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-52809) was discovered in the WordPress National Weather Service Alerts plugin versions 1.3.5 and below. The vulnerability was initially reported by Nguyen Xuan Chien on May 19, 2025, and was publicly disclosed on June 23, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, which affects the plugin's file inclusion mechanisms (Patchstack Database).

The vulnerability has been assigned a CVSS v3.1 score of 8.1 (High), with the following vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and requires no authentication to exploit, making it particularly dangerous. The issue falls under the OWASP Top 10 category A3: Injection (Patchstack Database).

The vulnerability allows malicious actors to include and view local files from the target website. This could potentially expose sensitive information such as database credentials, leading to complete database compromise depending on the server configuration. The software is considered abandoned, having not received updates for over a year, which amplifies the security risk (Patchstack Database).

As no official fix is available, website administrators are advised to remove and replace the plugin immediately. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. It's important to note that merely deactivating the plugin does not remove the security threat unless a virtual patch is deployed (Patchstack Database).