A critical vulnerability has been identified in the "Subscribe to Unlock Lite" WordPress plugin, assigned CVE-2025-68563. This flaw allows an unauthenticated attacker to include and execute files on the server, potentially leading to a full system compromise. Successful exploitation could result in data theft, website defacement, or the server being used for further malicious activities.

The vulnerability is a Local File Inclusion (LFI) flaw due to improper input validation on a filename used in a PHP include or require statement. An unauthenticated remote attacker can manipulate an input parameter to force the application to include arbitrary local files from the server's filesystem. This can be leveraged to read sensitive configuration files (e.g., wp-config.php containing database credentials) or, in certain configurations, escalate to full Remote Code Execution (RCE) by including poisoned log files or other user-controllable files, justifying the critical CVSS score.

With a critical severity rating and a CVSS score of 9.8, this vulnerability poses a severe and immediate threat to the business. A successful attack could lead to a complete compromise of the web application and the underlying server. Potential consequences include the theft of sensitive data such as customer information and database credentials, significant reputational damage, financial loss, and the use of the compromised server to attack other systems or host malicious content.

Immediate Action: Immediately update the "Subscribe to Unlock Lite" WordPress plugin to a version later than 1.3.0, as recommended by the vendor. After patching, review web server access logs and audit system files for any signs of compromise that may have occurred prior to remediation.

Proactive Monitoring: System administrators should actively monitor web server logs (e.g., Apache, Nginx) for requests containing directory traversal patterns (../), attempts to access sensitive files like /etc/passwd or wp-config.php, or unusual file inclusion attempts. Monitor for unexpected outbound network connections, high CPU usage, or the creation of suspicious files in web-accessible directories, as these can be indicators of a successful exploit.

Compensating Controls: If immediate patching is not feasible, the following measures can reduce the risk of exploitation:

• Disable and deactivate the "Subscribe to Unlock Lite" plugin until it can be safely updated.
• Implement a Web Application Firewall (WAF) with rules specifically designed to block LFI and directory traversal attack patterns.
• Harden the server's PHP configuration by disabling allow_url_include and enforcing a restrictive open_basedir path to limit the files that PHP can access.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the high potential for full system compromise by an unauthenticated attacker, this vulnerability requires immediate attention. We strongly recommend that organizations using the affected "Subscribe to Unlock Lite" plugin apply the security update to all vulnerable systems without delay. If patching cannot be performed immediately, disable the plugin to remove the attack vector. Although this vulnerability is not currently listed in the CISA KEV catalog, its severity makes it a prime candidate for future inclusion and a high-priority target for threat actors.