CVE-2025-62075: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-62075) was discovered in the Simple Payment WordPress plugin versions up to and including 2.4.6. The vulnerability was disclosed on October 29, 2025, and affects Ido Kobelkowsky's Simple Payment plugin. The issue was identified by security researcher Nguyen Xuan Chien (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program (CWE-98). It received a CVSS 3.1 base score of 7.3 (HIGH) with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. The vulnerability allows for improper control of filename inclusion statements in PHP programs (NVD, Rapid7).

This vulnerability makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to the execution of any PHP code in those files. The impact includes the possibility of bypassing access controls, obtaining sensitive data, or achieving code execution in cases where images and other 'safe' file types can be uploaded and included (Rapid7).

Users are advised to update to version 2.4.7 or later of the Simple Payment plugin to resolve the vulnerability. Patchstack has issued a mitigation rule to block any attacks until users can update to a fixed version (Patchstack).