CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Description
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-193
CVEs mapped to this weakness (1,051)
page 1 of 53| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2012-10025 | Cri | 0.73 | — | 0.01 | Aug 5, 2025 | The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit… | ||
| CVE-2024-12209 | Cri | 0.71 | 9.8 | 0.15 | Dec 8, 2024 | The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to… | ||
| CVE-2024-10571 | Cri | 0.71 | 9.8 | 0.05 | Nov 14, 2024 | The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server,… | ||
| CVE-2024-3806 | Cri | 0.69 | 9.8 | 0.03 | May 14, 2024 | The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution… | ||
| CVE-2023-6989 | Cri | 0.69 | 9.8 | 0.57 | Feb 5, 2024 | The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to… | ||
| CVE-2025-25174 | Cri | 0.65 | 10.0 | 0.00 | Aug 14, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 BeeTeam368 Extensions beeteam368-extensions allows PHP Local File Inclusion.This issue affects BeeTeam368 Extensions: from n/a through <= 1.9.4. | ||
| CVE-2024-12571 | Cri | 0.65 | 9.8 | 0.01 | Dec 20, 2024 | The Store Locator for WordPress with Google Maps – LotsOfLocales plugin for WordPress is vulnerable to Local File Inclusion in version 3.98.9 via the 'sl_engine' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the… | ||
| CVE-2024-4936 | Cri | 0.65 | 9.8 | 0.01 | Jun 14, 2024 | The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. This required… | ||
| CVE-2023-5199 | Cri | 0.65 | 9.9 | 0.01 | Oct 30, 2023 | The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and… | ||
| CVE-2026-9559 | Cri | 0.64 | 9.9 | 0.01 | May 29, 2026 | A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import… | ||
| CVE-2026-27065 | Cri | 0.64 | 9.8 | 0.00 | Mar 19, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through <= 2.0.1. | ||
| CVE-2026-28043 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Healer - Doctor, Clinic & Medical WordPress Theme healer allows PHP Local File Inclusion.This issue affects Healer - Doctor, Clinic & Medical… | ||
| CVE-2021-47900 | Cri | 0.64 | 9.8 | 0.01 | Jan 27, 2026 | Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through manipulated HTTP headers. Attackers can inject PHP code in the User-Agent header with shell_exec() to run system… | ||
| CVE-2025-14502 | Cri | 0.64 | 9.8 | 0.01 | Jan 14, 2026 | The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server,… | ||
| CVE-2025-53433 | Cri | 0.64 | 9.8 | 0.00 | Dec 18, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes EasyEat easyeat allows PHP Local File Inclusion.This issue affects EasyEat: from n/a through <= 1.9.0. | ||
| CVE-2025-11023 | Cri | 0.64 | 9.8 | 0.01 | Oct 23, 2025 | Inclusion of Functionality from Untrusted Control Sphere, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ArkSigner Software and Hardware Inc. AcBakImzala allows PHP Local File Inclusion. This issue… | ||
| CVE-2025-7634 | Cri | 0.64 | 9.8 | 0.01 | Oct 9, 2025 | The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.6.7 via the mode parameter. This makes it possible for unauthenticated attackers to include and execute… | ||
| CVE-2025-48293 | Cri | 0.64 | 9.8 | 0.00 | Aug 14, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allows PHP Local File Inclusion.This issue affects Geo Mashup: from n/a through <= 1.13.16. | ||
| CVE-2025-46468 | Cri | 0.64 | 9.8 | 0.01 | May 23, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPFable Fable Extra fable-extra allows PHP Local File Inclusion.This issue affects Fable Extra: from n/a through <= 1.0.6. | ||
| CVE-2025-39406 | Cri | 0.64 | 9.8 | 0.00 | May 19, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in mojoomla WPAMS apartment-management allows PHP Local File Inclusion.This issue affects WPAMS: from n/a through <= 44.0. |
- risk 0.73cvss —epss 0.01
The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit…
- risk 0.71cvss 9.8epss 0.15
The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to…
- risk 0.71cvss 9.8epss 0.05
The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server,…
- risk 0.69cvss 9.8epss 0.03
The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution…
- risk 0.69cvss 9.8epss 0.57
The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to…
- risk 0.65cvss 10.0epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 BeeTeam368 Extensions beeteam368-extensions allows PHP Local File Inclusion.This issue affects BeeTeam368 Extensions: from n/a through <= 1.9.4.
- risk 0.65cvss 9.8epss 0.01
The Store Locator for WordPress with Google Maps – LotsOfLocales plugin for WordPress is vulnerable to Local File Inclusion in version 3.98.9 via the 'sl_engine' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the…
- risk 0.65cvss 9.8epss 0.01
The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. This required…
- risk 0.65cvss 9.9epss 0.01
The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and…
- risk 0.64cvss 9.9epss 0.01
A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import…
- risk 0.64cvss 9.8epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through <= 2.0.1.
- risk 0.64cvss 9.8epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Healer - Doctor, Clinic & Medical WordPress Theme healer allows PHP Local File Inclusion.This issue affects Healer - Doctor, Clinic & Medical…
- risk 0.64cvss 9.8epss 0.01
Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through manipulated HTTP headers. Attackers can inject PHP code in the User-Agent header with shell_exec() to run system…
- risk 0.64cvss 9.8epss 0.01
The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server,…
- risk 0.64cvss 9.8epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes EasyEat easyeat allows PHP Local File Inclusion.This issue affects EasyEat: from n/a through <= 1.9.0.
- risk 0.64cvss 9.8epss 0.01
Inclusion of Functionality from Untrusted Control Sphere, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ArkSigner Software and Hardware Inc. AcBakImzala allows PHP Local File Inclusion. This issue…
- risk 0.64cvss 9.8epss 0.01
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.6.7 via the mode parameter. This makes it possible for unauthenticated attackers to include and execute…
- risk 0.64cvss 9.8epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allows PHP Local File Inclusion.This issue affects Geo Mashup: from n/a through <= 1.13.16.
- risk 0.64cvss 9.8epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPFable Fable Extra fable-extra allows PHP Local File Inclusion.This issue affects Fable Extra: from n/a through <= 1.0.6.
- risk 0.64cvss 9.8epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in mojoomla WPAMS apartment-management allows PHP Local File Inclusion.This issue affects WPAMS: from n/a through <= 44.0.