PHP Remote File Inclusion Vulnerability in CrocoBlock JetReviews Plugin
CVE-2025-49921

7.5HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
22 October 2025

What is CVE-2025-49921?

The JetReviews plugin by CrocoBlock is susceptible to a PHP Remote File Inclusion vulnerability due to improper control over filenames used in include and require statements. This flaw allows attackers to execute arbitrary PHP scripts on the server, leading to potential data exposure or even complete compromise of the website. Affected versions range from an unspecified version up to 3.0.0. It is crucial for website administrators to promptly update to the latest version to safeguard against this security risk.

Affected Version(s)

JetReviews 0 <= 3.0.0

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

stealthcopter (Patchstack Alliance)
.