File Inclusion Flaw Discovered in Docket Cache Plugin

Analyzing the Risks of Insecure Include Paths

Cory Marsh
Cory Marsh
Share:
Cory Marsh has over 20 years Internet security experience. He is a lead developer on the BitFire project and regularly releases PHP security and programming videos on BitFire's you tube channel.
...
wordpress-docket-cache-local-file-inclusion, 50,000+ sites hacked
Unauthenticated Local File Inclusion High Impact

File inclusion vulnerabilities in PHP-based applications continue to pose serious risks to WordPress installations. A recent vulnerability in the Docket Cache plugin demonstrates how improper control over filenames in include or require statements can lead to Local File Inclusion (LFI). Although a patch has been issued, site operators must act swiftly—and ideally, employ runtime protections like BitFire to enforce safe code execution boundaries.

View CVE Report: CVE-CVE-2025-39461

View On WordPress.org: wordpress-docket-cache-local-file-inclusion

View On Trac: plugins.trac.wordpress.org


Docket Cache

"Docket Cache is a WordPress caching plugin focused on object caching and performance optimization through persistent and file-based caching strategies. It integrates with advanced hosting setups and provides CLI support for developers."

-- wordpress-docket-cache-local-file-inclusion
  • Persistent object caching with filesystem-based backend
  • Supports WP-CLI and advanced debugging
  • Integrates with third-party plugins and hosting environments
  • Improves performance for dynamic and high-traffic sites
...
...


BitFire's 0-day protection of CVE-CVE-2025-39461 vulnerability

The Gory Details

The vulnerability in Docket Cache stems from improper handling of user-controlled input in file include operations. In versions up to and including 24.07.02, an attacker can exploit insufficient sanitization on dynamic file paths passed to include or require statements. This can allow unauthorized users to include local PHP files on the server, potentially exposing sensitive information, triggering arbitrary code execution, or enabling privilege escalation through crafted payloads.

Mitigating the Risk

The vendor addressed this issue in version 24.07.03 by introducing safer include logic and sanitizing dynamic file paths. All users should immediately upgrade to the patched release. Administrators are also advised to audit access logs for suspicious file inclusion attempts and restrict access to non-public directories on the server.

Why BitFire?

BitFire’s Runtime Application Self-Protection (RASP) layer analyzes the behavior of include/require operations and prevents inclusion of unauthorized or unvalidated file paths. It can detect and block suspicious inclusion attempts at runtime, reducing the risk of exploitation even if a vulnerability exists in the codebase. BitFire ensures include statements are confined to approved directories and files, limiting exposure from insecure plugin behavior.

The Bottom Line

Local File Inclusion vulnerabilities may not always result in immediate code execution, but they frequently serve as a pivot point for deeper compromise. When found in widely used caching plugins like Docket Cache, the consequences can impact a large number of sites. BitFire offers preventive coverage by identifying suspicious behavior before it can be leveraged—complementing patches and hardening efforts with behavioral enforcement.

Removed Code
unknown – vulnerable include/require logic in dynamic path usage
Replaced Code