Improper Control of Filename in WPFable Fable Extra PHP Plugin
CVE-2025-46468

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Fable Extra
Vendor: CVE Published:; 23 May 2025

What is CVE-2025-46468?

The WPFable Fable Extra plugin contains a vulnerability that allows for PHP Local File Inclusion due to improper handling of file names in include or require statements. This vulnerability can be exploited by attackers to execute arbitrary PHP code on the server, potentially compromising the security of the WordPress site. It is crucial to address this issue in versions of Fable Extra up to 1.0.6 to mitigate risks.

Affected Version(s)

Fable Extra <= 1.0.6

References

https://patchstack.com/database/wordpress/plugin/fable-ex...

vdb-entry

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 23, 2025
Vulnerability Reserved
Apr 24, 2025

Credit

stealthcopter (Patchstack Alliance)