CVE-2025-26760: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-26760) was discovered in the Wow-Company Calculator Builder WordPress plugin affecting versions through 1.6.2. The vulnerability was initially reported by security researcher Dimas Maulana on January 18, 2025, and was publicly disclosed on February 14, 2025 (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program (CWE-98). It received a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating that it can be exploited remotely without requiring privileges but needs user interaction (NVD, Patchstack).

The vulnerability could allow malicious actors to include and access local files on the target website, potentially exposing sensitive information. Of particular concern is the potential access to files containing credentials, such as database configurations, which could lead to complete database compromise depending on the server configuration (Patchstack).

Users are strongly advised to update to version 1.6.3 or later of the Calculator Builder plugin, which contains the fix for this vulnerability. For users of Patchstack, a virtual patch has been issued to mitigate the issue by blocking potential attacks until the update can be applied (Patchstack).