CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Description
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-193
CVEs mapped to this weakness (1,051)
page 2 of 53| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-31340 | Cri | 0.64 | — | 0.00 | Apr 17, 2025 | A improper control of filename for include/require statement in PHP program vulnerability in the retrieve course Information function of Wisdom Master Pro versions 5.0 through 5.2 allows remote attackers to perform arbitrary system commands by running a malicious file. | ||
| CVE-2025-32577 | Cri | 0.64 | 9.8 | 0.01 | Apr 11, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23. | ||
| CVE-2025-28916 | Cri | 0.64 | 9.8 | 0.01 | Mar 26, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rashid Docpro docpro allows PHP Local File Inclusion.This issue affects Docpro: from n/a through <= 2.0.1. | ||
| CVE-2024-13790 | Cri | 0.64 | 9.8 | 0.01 | Mar 19, 2025 | The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.7.0 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute… | ||
| CVE-2024-49649 | Cri | 0.64 | 9.8 | 0.01 | Jan 7, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23. | ||
| CVE-2024-41925 | — | Cri | 0.64 | 9.8 | 0.01 | Oct 3, 2024 | The web service for ONS-S8 - Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass authentication, and execute remote code. | |
| CVE-2024-4258 | Cri | 0.64 | 9.8 | 0.01 | Jun 15, 2024 | The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the settings parameter. This makes it possible for unauthenticated attackers to include and execute… | ||
| CVE-2024-5577 | Cri | 0.64 | 9.8 | 0.01 | Jun 14, 2024 | The Where I Was, Where I Will Be plugin for WordPress is vulnerable to Remote File Inclusion in version <= 1.1.1 via the WIW_HEADER parameter of the /system/include/include_user.php file. This makes it possible for unauthenticated attackers to include and execute arbitrary files… | ||
| CVE-2024-3551 | Cri | 0.64 | 9.8 | 0.01 | May 17, 2024 | The Penci Soledad Data Migrator plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.0 via the 'data' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing… | ||
| CVE-2023-4488 | Cri | 0.64 | 9.8 | 0.01 | Oct 20, 2023 | The Dropbox Folder Share for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.9.7 via the editor-view.php file. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code… | ||
| CVE-2023-3452 | Cri | 0.64 | 9.8 | 0.06 | Aug 12, 2023 | The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is… | ||
| CVE-2024-43261 | Cri | 0.63 | 9.6 | 0.01 | Aug 19, 2024 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hamed Naderfar Compute Links allows PHP Remote File Inclusion.This issue affects Compute Links: from n/a through 1.2.1. | ||
| CVE-2026-0926 | Cri | 0.62 | 9.8 | 0.09 | Feb 19, 2026 | The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute… | ||
| CVE-2025-26909 | Cri | 0.62 | 9.6 | 0.01 | Mar 27, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in John Darrel Hide My WP Ghost hide-my-wp allows PHP Local File Inclusion.This issue affects Hide My WP Ghost: from n/a through <= 5.4.01. | ||
| CVE-2024-3136 | Cri | 0.61 | 9.8 | 0.05 | Apr 9, 2024 | The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the… | ||
| CVE-2023-2249 | Hig | 0.61 | 8.8 | 0.61 | Jun 9, 2023 | The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being… | ||
| CVE-2025-0632 | Cri | 0.60 | — | 0.01 | Apr 21, 2025 | Local File Inclusion (LFI) vulnerability in a Render function of Formulatrix Rock Maker Web (RMW) allows a remote attacker to obtain sensitive data via arbitrary code execution. A malicious actor could execute malicious scripts to automatically download configuration files in… | ||
| CVE-2025-47586 | Cri | 0.59 | 9.0 | 0.00 | Jun 6, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors - Events stm-motors-events allows PHP Local File Inclusion.This issue affects Motors - Events: from n/a through <= 1.4.7. | ||
| CVE-2025-26916 | Cri | 0.59 | 9.0 | 0.01 | Mar 10, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Pixflow Massive Dynamic massive-dynamic.This issue affects Massive Dynamic: from n/a through <= 8.2. | ||
| CVE-2024-27971 | Hig | 0.59 | 8.3 | 0.01 | May 17, 2024 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Permalink Manager for WooCommerce woo-permalink-manager.This issue affects Premmerce Permalink Manager for WooCommerce: from n/a through… |
- risk 0.64cvss —epss 0.00
A improper control of filename for include/require statement in PHP program vulnerability in the retrieve course Information function of Wisdom Master Pro versions 5.0 through 5.2 allows remote attackers to perform arbitrary system commands by running a malicious file.
- risk 0.64cvss 9.8epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23.
- risk 0.64cvss 9.8epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rashid Docpro docpro allows PHP Local File Inclusion.This issue affects Docpro: from n/a through <= 2.0.1.
- risk 0.64cvss 9.8epss 0.01
The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.7.0 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute…
- risk 0.64cvss 9.8epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23.
- risk 0.64cvss 9.8epss 0.01
The web service for ONS-S8 - Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass authentication, and execute remote code.
- risk 0.64cvss 9.8epss 0.01
The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the settings parameter. This makes it possible for unauthenticated attackers to include and execute…
- risk 0.64cvss 9.8epss 0.01
The Where I Was, Where I Will Be plugin for WordPress is vulnerable to Remote File Inclusion in version <= 1.1.1 via the WIW_HEADER parameter of the /system/include/include_user.php file. This makes it possible for unauthenticated attackers to include and execute arbitrary files…
- risk 0.64cvss 9.8epss 0.01
The Penci Soledad Data Migrator plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.0 via the 'data' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing…
- risk 0.64cvss 9.8epss 0.01
The Dropbox Folder Share for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.9.7 via the editor-view.php file. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code…
- risk 0.64cvss 9.8epss 0.06
The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is…
- risk 0.63cvss 9.6epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hamed Naderfar Compute Links allows PHP Remote File Inclusion.This issue affects Compute Links: from n/a through 1.2.1.
- risk 0.62cvss 9.8epss 0.09
The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute…
- risk 0.62cvss 9.6epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in John Darrel Hide My WP Ghost hide-my-wp allows PHP Local File Inclusion.This issue affects Hide My WP Ghost: from n/a through <= 5.4.01.
- risk 0.61cvss 9.8epss 0.05
The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the…
- risk 0.61cvss 8.8epss 0.61
The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being…
- risk 0.60cvss —epss 0.01
Local File Inclusion (LFI) vulnerability in a Render function of Formulatrix Rock Maker Web (RMW) allows a remote attacker to obtain sensitive data via arbitrary code execution. A malicious actor could execute malicious scripts to automatically download configuration files in…
- risk 0.59cvss 9.0epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors - Events stm-motors-events allows PHP Local File Inclusion.This issue affects Motors - Events: from n/a through <= 1.4.7.
- risk 0.59cvss 9.0epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Pixflow Massive Dynamic massive-dynamic.This issue affects Massive Dynamic: from n/a through <= 8.2.
- risk 0.59cvss 8.3epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Permalink Manager for WooCommerce woo-permalink-manager.This issue affects Premmerce Permalink Manager for WooCommerce: from n/a through…