PHP Remote File Inclusion Vulnerability in Cozmoslabs Paid Member Subscriptions Plugin
CVE-2025-54017

7.5HIGH

Key Information:

Vendor: WordPress
Status: Paid Member Subscriptions
Vendor: CVE Published:; 20 August 2025

What is CVE-2025-54017?

A vulnerability exists in Cozmoslabs Paid Member Subscriptions plugin that permits local file inclusion through improper control of filename in include/require statements. The flaw can enable attackers to manipulate PHP scripts and potentially access sensitive files on the server, compromising the security of the entire application. This issue impacts versions from not available to 2.15.4, making it crucial for site administrators to implement patches and updates to mitigate the risk.

Affected Version(s)

Paid Member Subscriptions <= 2.15.4

References

https://patchstack.com/database/wordpress/plugin/paid-mem...

vdb-entry

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2025
Vulnerability Reserved
Jul 16, 2025

Credit

LVT-tholv2k (Patchstack Alliance)

JSON

WordPress

What is CVE-2025-54017?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit