VYPR

CWE-98

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

VariantDraftLikelihood: High

Description

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-193

CVEs mapped to this weakness (1,051)

page 2 of 53
  • CVE-2025-31340CriApr 17, 2025
    risk 0.64cvss epss 0.00

    A improper control of filename for include/require statement in PHP program vulnerability in the retrieve course Information function of Wisdom Master Pro versions 5.0 through 5.2 allows remote attackers to perform arbitrary system commands by running a malicious file.

  • CVE-2025-32577CriApr 11, 2025
    risk 0.64cvss 9.8epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23.

  • CVE-2025-28916CriMar 26, 2025
    risk 0.64cvss 9.8epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rashid Docpro docpro allows PHP Local File Inclusion.This issue affects Docpro: from n/a through <= 2.0.1.

  • CVE-2024-13790CriMar 19, 2025
    risk 0.64cvss 9.8epss 0.01

    The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.7.0 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute…

  • CVE-2024-49649CriJan 7, 2025
    risk 0.64cvss 9.8epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23.

  • CVE-2024-41925CriOct 3, 2024
    risk 0.64cvss 9.8epss 0.01

    The web service for ONS-S8 - Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass authentication, and execute remote code.

  • CVE-2024-4258CriJun 15, 2024
    risk 0.64cvss 9.8epss 0.01

    The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the settings parameter. This makes it possible for unauthenticated attackers to include and execute…

  • CVE-2024-5577CriJun 14, 2024
    risk 0.64cvss 9.8epss 0.01

    The Where I Was, Where I Will Be plugin for WordPress is vulnerable to Remote File Inclusion in version <= 1.1.1 via the WIW_HEADER parameter of the /system/include/include_user.php file. This makes it possible for unauthenticated attackers to include and execute arbitrary files…

  • CVE-2024-3551CriMay 17, 2024
    risk 0.64cvss 9.8epss 0.01

    The Penci Soledad Data Migrator plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.0 via the 'data' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing…

  • CVE-2023-4488CriOct 20, 2023
    risk 0.64cvss 9.8epss 0.01

    The Dropbox Folder Share for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.9.7 via the editor-view.php file. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code…

  • CVE-2023-3452CriAug 12, 2023
    risk 0.64cvss 9.8epss 0.06

    The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is…

  • CVE-2024-43261CriAug 19, 2024
    risk 0.63cvss 9.6epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hamed Naderfar Compute Links allows PHP Remote File Inclusion.This issue affects Compute Links: from n/a through 1.2.1.

  • CVE-2026-0926CriFeb 19, 2026
    risk 0.62cvss 9.8epss 0.09

    The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute…

  • CVE-2025-26909CriMar 27, 2025
    risk 0.62cvss 9.6epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in John Darrel Hide My WP Ghost hide-my-wp allows PHP Local File Inclusion.This issue affects Hide My WP Ghost: from n/a through <= 5.4.01.

  • CVE-2024-3136CriApr 9, 2024
    risk 0.61cvss 9.8epss 0.05

    The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the…

  • CVE-2023-2249HigJun 9, 2023
    risk 0.61cvss 8.8epss 0.61

    The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being…

  • CVE-2025-0632CriApr 21, 2025
    risk 0.60cvss epss 0.01

    Local File Inclusion (LFI) vulnerability in a Render function of Formulatrix Rock Maker Web (RMW) allows a remote attacker to obtain sensitive data via arbitrary code execution. A malicious actor could execute malicious scripts to automatically download configuration files in…

  • CVE-2025-47586CriJun 6, 2025
    risk 0.59cvss 9.0epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors - Events stm-motors-events allows PHP Local File Inclusion.This issue affects Motors - Events: from n/a through <= 1.4.7.

  • CVE-2025-26916CriMar 10, 2025
    risk 0.59cvss 9.0epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Pixflow Massive Dynamic massive-dynamic.This issue affects Massive Dynamic: from n/a through <= 8.2.

  • CVE-2024-27971HigMay 17, 2024
    risk 0.59cvss 8.3epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Permalink Manager for WooCommerce woo-permalink-manager.This issue affects Premmerce Permalink Manager for WooCommerce: from n/a through…