CVE-2025-52814
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme BRW ova-brw allows PHP Local File Inclusion.This issue affects BRW: from n/a through <= 1.8.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Local File Inclusion vulnerability in BRW plugin allows attackers to include local files, potentially exposing sensitive data; patched in version 1.8.8.
The BRW plugin for WordPress (ova-brw) versions up to and including 1.8.7 suffer from a Local File Inclusion (LFI) vulnerability due to improper control of filenames for include and require statements [1]. This PHP LFI flaw enables an attacker to manipulate file paths to include arbitrary files from the local server.
Exploitation can be carried out remotely without authentication by crafting a malicious request that references a target file on the server [1]. The attack surface is broad, as the plugin is widely used, and the vulnerability is expected to be exploited in mass campaigns targeting thousands of websites.
Successful exploitation allows an attacker to read sensitive files, such as wp-config.php containing database credentials, potentially leading to complete database takeover or further compromise of the site [1].
The vulnerability is fixed in version 1.8.8 of the plugin. Users are strongly advised to update immediately. Patchstack also provides a mitigation rule for users unable to update promptly [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.