PHP Remote File Inclusion Vulnerability in Cook&Meal by Dedalx
CVE-2025-48149

8.1HIGH

Key Information:

Vendor: WordPress
Status: Cook&meal
Vendor: CVE Published:; 20 August 2025

What is CVE-2025-48149?

The Cook&Meal product developed by Dedalx is vulnerable to a PHP Remote File Inclusion flaw due to improper control over the filename used in include or require statements. This vulnerability allows attackers to exploit the application, potentially leading to unauthorized access and execution of malicious PHP scripts. Versions up to 1.2.3 are affected, highlighting the importance for users to assess their security posture and take preventative measures.

Affected Version(s)

Cook&Meal <= 1.2.3

References

https://patchstack.com/database/wordpress/theme/cookandme...

vdb-entry

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2025
Vulnerability Reserved
May 15, 2025

Credit

Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) (Patchstack Alliance)

WordPress

What is CVE-2025-48149?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit