PHP Local File Inclusion in Accordion FAQ Plugin

CVE-2025-58024 is a PHP Local File Inclusion (LFI) vulnerability affecting UnboundStudio's Accordion FAQ plugin through version 2.2.1. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), allowing attackers to manipulate file paths and include arbitrary local files on the server. This is particularly dangerous in WordPress environments where the plugin is commonly deployed, as attackers can leverage LFI to read sensitive configuration files, database credentials, or other protected content. Any organization using affected versions of Accordion FAQ faces potential information disclosure and lateral movement risks, with the vulnerability requiring minimal or no authentication depending on the plugin's exposure.

While this CVE lacks explicit MITRE ATT&CK mapping, Casky's Claude-powered analysis would correlate it with Techniques like T1083 (File and Directory Discovery) and T1005 (Data from Local System), detecting attack patterns where file inclusion attempts systematically probe for sensitive files. Practitioners using Casky would observe findings related to suspicious include/require parameter manipulation, file path traversal patterns (../ sequences), and attempts to access configuration or credential files. The extended reasoning capabilities would flag the progression from initial reconnaissance to exploitation, helping security teams understand that LFI vulnerabilities often precede more serious compromise. Organizations should immediately audit Accordion FAQ implementations and apply patches to version 2.2.2 or later, while monitoring logs for exploitation attempts targeting common sensitive file paths.