CVE Alert: CVE-2025-9990 – smackcoders – WordPress Helpdesk Integration
CVE-2025-9990
The WordPress Helpdesk Integration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.8.10 via the portal_type parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
AI Summary Analysis
**Risk verdict** High risk: unauthenticated remote local file inclusion that can lead to arbitrary PHP code execution; patch promptly.
**Why this matters** The vulnerability enables attackers to bypass access controls and execute code on the server, potentially harvesting sensitive data, defacing sites, or taking full control of affected WordPress deployments. With no user interaction required, an exposed site could be compromised quickly and used as a foothold for further action across the hosting environment.
**Most likely attack path** An attacker sends a crafted request to the vulnerable endpoint (portal_type parameter) over the network, exploiting LFI to include a PHP file from the server. Because no privileges or user interaction are required, the attacker can achieve code execution with the web server’s privileges and may deploy a web shell or pivot to adjacent components (databases, other plugins) if permissions permit.
**Who is most exposed** Organisations running self-hosted WordPress with the WordPress Helpdesk Integration plugin, especially on shared hosting or poorly restricted upload environments, are at greatest risk.
Detection ideas
- Unexpected portal_type values indicating path traversal attempts
- PHP errors or warnings showing include/require of local files
- Web server logs showing access to unusual PHP files or shell-like patterns
- Repeated 500/403 responses from the plugin endpoint
- Anomalous spikes in resource use tied to the plugin
Mitigation and prioritisation
- Update to a fixed version beyond 5.8.10; remove or disable if not required
- Implement a WAF rule to block suspicious portal_type patterns and path traversal
- Disable allow_url_include and tighten PHP include/require settings; restrict file uploads
- Review file permissions and restrict upload locations; monitor for uploaded PHP files
- Schedule patching during a maintenance window; verify remediation with targeted tests
- If KEV is present or EPSS ≥ 0.5, treat as priority 1
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
