CWE-98

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

VariantDraftLikelihood: High

Description

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-193

CVEs mapped to this weakness (1,010)

page 18 of 51

CVE	Sev	Risk	CVSS	Published	Description
CVE-2025-68536	Hig	0.53	8.1	Feb 20, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion.This issue affects Zota: from n/a through <= 1.3.14.
CVE-2025-67992	Hig	0.53	8.1	Feb 20, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean PatioTime patiotime allows PHP Local File Inclusion.This issue affects PatioTime: from n/a through < 2.1.
CVE-2025-67988	Hig	0.53	8.1	Feb 20, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through < 1.9.1.
CVE-2025-67982	Hig	0.53	8.1	Feb 20, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12.
CVE-2025-67981	Hig	0.53	8.1	Feb 20, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15.
CVE-2025-67980	Hig	0.53	8.1	Feb 20, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17.
CVE-2025-60087	Hig	0.53	8.1	Feb 20, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nenad Obradovic Extensive VC Addons for WPBakery page builder extensive-vc-addon allows PHP Local File Inclusion.This issue affects Extensive VC Addons for WPBakery page builder: from n/a through <= 1.9.1.
CVE-2025-69314	Hig	0.53	8.1	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Werkstatt werkstatt allows PHP Local File Inclusion.This issue affects Werkstatt: from n/a through < 4.8.3.
CVE-2025-69100	Hig	0.53	8.1	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North north-wp allows PHP Local File Inclusion.This issue affects North: from n/a through <= 5.7.5.
CVE-2025-69078	Hig	0.53	8.1	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Malta malta allows PHP Local File Inclusion.This issue affects Malta: from n/a through <= 1.3.3.
CVE-2025-69077	Hig	0.53	8.1	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hobo hobo allows PHP Local File Inclusion.This issue affects Hobo: from n/a through <= 1.0.10.
CVE-2025-69076	Hig	0.53	8.1	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Modern Housewife modernhousewife allows PHP Local File Inclusion.This issue affects Modern Housewife: from n/a through <= 1.0.12.
CVE-2025-69075	Hig	0.53	8.1	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Yolox yolox allows PHP Local File Inclusion.This issue affects Yolox: from n/a through <= 1.0.15.
CVE-2025-69074	Hig	0.53	8.1	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pearson Specter pearsonspecter allows PHP Local File Inclusion.This issue affects Pearson Specter: from n/a through <= 1.11.3.
CVE-2025-69073	Hig	0.53	8.1	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Piqes piqes allows PHP Local File Inclusion.This issue affects Piqes: from n/a through <= 1.0.11.
CVE-2025-69072	Hig	0.53	8.1	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Prider prider allows PHP Local File Inclusion.This issue affects Prider: from n/a through <= 1.1.3.1.
CVE-2025-69071	Hig	0.53	8.1	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes TanTum tantum allows PHP Local File Inclusion.This issue affects TanTum: from n/a through <= 1.1.13.
CVE-2025-69070	Hig	0.53	8.1	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tornados tornados allows PHP Local File Inclusion.This issue affects Tornados: from n/a through <= 2.1.
CVE-2025-69068	Hig	0.53	8.1	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion.This issue affects Muji: from n/a through <= 1.2.0.
CVE-2025-69067	Hig	0.53	8.1	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tails tails allows PHP Local File Inclusion.This issue affects Tails: from n/a through <= 1.4.12.

CVE-2025-68536HigFeb 20, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion.This issue affects Zota: from n/a through <= 1.3.14.
CVE-2025-67992HigFeb 20, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean PatioTime patiotime allows PHP Local File Inclusion.This issue affects PatioTime: from n/a through < 2.1.
CVE-2025-67988HigFeb 20, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through < 1.9.1.
CVE-2025-67982HigFeb 20, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12.
CVE-2025-67981HigFeb 20, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15.
CVE-2025-67980HigFeb 20, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17.
CVE-2025-60087HigFeb 20, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nenad Obradovic Extensive VC Addons for WPBakery page builder extensive-vc-addon allows PHP Local File Inclusion.This issue affects Extensive VC Addons for WPBakery page builder: from n/a through <= 1.9.1.
CVE-2025-69314HigJan 22, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Werkstatt werkstatt allows PHP Local File Inclusion.This issue affects Werkstatt: from n/a through < 4.8.3.
CVE-2025-69100HigJan 22, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North north-wp allows PHP Local File Inclusion.This issue affects North: from n/a through <= 5.7.5.
CVE-2025-69078HigJan 22, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Malta malta allows PHP Local File Inclusion.This issue affects Malta: from n/a through <= 1.3.3.
CVE-2025-69077HigJan 22, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hobo hobo allows PHP Local File Inclusion.This issue affects Hobo: from n/a through <= 1.0.10.
CVE-2025-69076HigJan 22, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Modern Housewife modernhousewife allows PHP Local File Inclusion.This issue affects Modern Housewife: from n/a through <= 1.0.12.
CVE-2025-69075HigJan 22, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Yolox yolox allows PHP Local File Inclusion.This issue affects Yolox: from n/a through <= 1.0.15.
CVE-2025-69074HigJan 22, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pearson Specter pearsonspecter allows PHP Local File Inclusion.This issue affects Pearson Specter: from n/a through <= 1.11.3.
CVE-2025-69073HigJan 22, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Piqes piqes allows PHP Local File Inclusion.This issue affects Piqes: from n/a through <= 1.0.11.
CVE-2025-69072HigJan 22, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Prider prider allows PHP Local File Inclusion.This issue affects Prider: from n/a through <= 1.1.3.1.
CVE-2025-69071HigJan 22, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes TanTum tantum allows PHP Local File Inclusion.This issue affects TanTum: from n/a through <= 1.1.13.
CVE-2025-69070HigJan 22, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tornados tornados allows PHP Local File Inclusion.This issue affects Tornados: from n/a through <= 2.1.
CVE-2025-69068HigJan 22, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion.This issue affects Muji: from n/a through <= 1.2.0.
CVE-2025-69067HigJan 22, 2026
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tails tails allows PHP Local File Inclusion.This issue affects Tails: from n/a through <= 1.4.12.