VYPR

CWE-98

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

VariantDraftLikelihood: High

Description

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-193

CVEs mapped to this weakness (1,051)

page 1 of 53
  • CVE-2012-10025CriAug 5, 2025
    risk 0.73cvss epss 0.01

    The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit…

  • CVE-2024-12209CriDec 8, 2024
    risk 0.71cvss 9.8epss 0.15

    The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to…

  • CVE-2024-10571CriNov 14, 2024
    risk 0.71cvss 9.8epss 0.05

    The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server,…

  • CVE-2024-3806CriMay 14, 2024
    risk 0.69cvss 9.8epss 0.03

    The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution…

  • CVE-2023-6989CriFeb 5, 2024
    risk 0.69cvss 9.8epss 0.57

    The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to…

  • CVE-2025-25174CriAug 14, 2025
    risk 0.65cvss 10.0epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 BeeTeam368 Extensions beeteam368-extensions allows PHP Local File Inclusion.This issue affects BeeTeam368 Extensions: from n/a through <= 1.9.4.

  • CVE-2024-12571CriDec 20, 2024
    risk 0.65cvss 9.8epss 0.01

    The Store Locator for WordPress with Google Maps – LotsOfLocales plugin for WordPress is vulnerable to Local File Inclusion in version 3.98.9 via the 'sl_engine' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the…

  • CVE-2024-4936CriJun 14, 2024
    risk 0.65cvss 9.8epss 0.01

    The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. This required…

  • CVE-2023-5199CriOct 30, 2023
    risk 0.65cvss 9.9epss 0.01

    The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and…

  • CVE-2026-9559CriMay 29, 2026
    risk 0.64cvss 9.9epss 0.01

    A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import…

  • CVE-2026-27065CriMar 19, 2026
    risk 0.64cvss 9.8epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through <= 2.0.1.

  • CVE-2026-28043CriMar 5, 2026
    risk 0.64cvss 9.8epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Healer - Doctor, Clinic & Medical WordPress Theme healer allows PHP Local File Inclusion.This issue affects Healer - Doctor, Clinic & Medical…

  • CVE-2021-47900CriJan 27, 2026
    risk 0.64cvss 9.8epss 0.01

    Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through manipulated HTTP headers. Attackers can inject PHP code in the User-Agent header with shell_exec() to run system…

  • CVE-2025-14502CriJan 14, 2026
    risk 0.64cvss 9.8epss 0.01

    The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server,…

  • CVE-2025-53433CriDec 18, 2025
    risk 0.64cvss 9.8epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes EasyEat easyeat allows PHP Local File Inclusion.This issue affects EasyEat: from n/a through <= 1.9.0.

  • CVE-2025-11023CriOct 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Inclusion of Functionality from Untrusted Control Sphere, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ArkSigner Software and Hardware Inc. AcBakImzala allows PHP Local File Inclusion. This issue…

  • CVE-2025-7634CriOct 9, 2025
    risk 0.64cvss 9.8epss 0.01

    The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.6.7 via the mode parameter. This makes it possible for unauthenticated attackers to include and execute…

  • CVE-2025-48293CriAug 14, 2025
    risk 0.64cvss 9.8epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allows PHP Local File Inclusion.This issue affects Geo Mashup: from n/a through <= 1.13.16.

  • CVE-2025-46468CriMay 23, 2025
    risk 0.64cvss 9.8epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPFable Fable Extra fable-extra allows PHP Local File Inclusion.This issue affects Fable Extra: from n/a through <= 1.0.6.

  • CVE-2025-39406CriMay 19, 2025
    risk 0.64cvss 9.8epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in mojoomla WPAMS apartment-management allows PHP Local File Inclusion.This issue affects WPAMS: from n/a through <= 44.0.