CVE-2026-48972
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SeedProd LLC SeedProd Pro allows PHP Local File Inclusion.
This issue affects SeedProd Pro: from n/a before 6.19.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Local File Inclusion vulnerability in SeedProd Pro plugin for WordPress allows attackers to include local files, potentially exposing sensitive data.
Vulnerability
The SeedProd Pro plugin for WordPress versions before 6.19.5 is vulnerable to PHP Local File Inclusion due to improper control of filename for include/require statements. An attacker can exploit this to include arbitrary local files from the server [1].
Exploitation
The attacker needs to be able to send crafted requests to the vulnerable site. No authentication is mentioned as required, so it may be unauthenticated. The exact sequence involves manipulating the filename parameter in a PHP include/require call to point to a local file [1].
Impact
Successful exploitation allows the attacker to read sensitive local files, such as wp-config.php containing database credentials, potentially leading to complete site compromise [1].
Mitigation
Update to version 6.19.5 or later to fix the vulnerability. The plugin developer released this patched version [1]. Users unable to update immediately should consider disabling the plugin or seeking hosting provider assistance.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <6.19.5
- Range: <6.19.5
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.