CWE-98

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

VariantDraftLikelihood: High

Description

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-193

CVEs mapped to this weakness (1,041)

page 29 of 53

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2025-49036	WordPress Premium Addons For Kingcomposer	Hig	0.53	8.1	0.00	Aug 14, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in octagonwebstudio Premium Addons for KingComposer premium-addons-for-kingcomposer allows PHP Local File Inclusion.This issue affects Premium Addons for…
CVE-2025-30635	Themeatelier Idonate	Hig	0.53	8.1	0.00	Aug 14, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeAtelier IDonatePro idonate-pro allows PHP Local File Inclusion.This issue affects IDonatePro: from n/a through <= 2.1.9.
CVE-2025-28979	Thimpress Wp Pipes	Hig	0.53	8.1	0.00	Aug 14, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress WP Pipes allows PHP Local File Inclusion. This issue affects WP Pipes: from n/a through 1.4.3.
CVE-2025-25172	beeteam368 VidMov	Hig	0.53	8.1	0.00	Aug 14, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidMov vidmov allows PHP Local File Inclusion.This issue affects VidMov: from n/a through <= 1.9.4.
CVE-2025-52807	WordPress Kossy	Hig	0.53	8.1	0.01	Jul 4, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusWP Kossy - Minimalist eCommerce WordPress Theme kossy allows PHP Local File Inclusion.This issue affects Kossy - Minimalist eCommerce WordPress Theme:…
CVE-2025-4414	WordPress Cmsmasters Content Composer	Hig	0.53	8.1	0.01	Jul 4, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows PHP Local File Inclusion.This issue affects CMSMasters Content Composer: from n/a…
CVE-2025-52816	Themehunk Zita	Hig	0.53	8.1	0.01	Jun 27, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita zita allows PHP Local File Inclusion.This issue affects Zita: from n/a through <= 1.6.5.
CVE-2025-52815	Ancorathemes CityGov	Hig	0.53	8.1	0.01	Jun 27, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CityGov citygov allows PHP Local File Inclusion.This issue affects CityGov: from n/a through <= 1.9.
CVE-2025-52814	ovatheme BRW	Hig	0.53	8.1	0.01	Jun 27, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme BRW ova-brw allows PHP Local File Inclusion.This issue affects BRW: from n/a through <= 1.8.7.
CVE-2025-52812	ApusWP Domnoo	Hig	0.53	8.1	0.01	Jun 27, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusWP Domnoo domnoo allows PHP Local File Inclusion.This issue affects Domnoo: from n/a through <= 1.49.
CVE-2025-52809	WordPress National Weather Service Alerts	Hig	0.53	8.1	0.01	Jun 27, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in John Russell National Weather Service Alerts national-weather-service-alerts allows PHP Local File Inclusion.This issue affects National Weather Service…
CVE-2025-52808	real-web RealtyElite	Hig	0.53	8.1	0.01	Jun 27, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in real-web RealtyElite realtyelite allows PHP Local File Inclusion.This issue affects RealtyElite: from n/a through <= 1.0.0.
CVE-2025-52729	thembay Diza	Hig	0.53	8.1	0.01	Jun 27, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.9.
CVE-2025-52723	WordPress Networker	Hig	0.53	8.1	0.01	Jun 27, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codesupplyco Networker networker allows PHP Local File Inclusion.This issue affects Networker: from n/a through <= 1.2.0.
CVE-2025-49886	WordPress Zikzag Core	Hig	0.53	8.1	0.01	Jun 27, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab Zikzag Core zikzag-core allows PHP Local File Inclusion.This issue affects Zikzag Core: from n/a through <= 1.4.5.
CVE-2025-49883	thembay Greenmart	Hig	0.53	8.1	0.01	Jun 27, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Greenmart greenmart allows PHP Local File Inclusion.This issue affects Greenmart: from n/a through <= 4.2.3.
CVE-2025-49416	WordPress Fw Gallery	Hig	0.53	8.1	0.01	Jun 27, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Fastw3b LLC FW Gallery fw-gallery allows PHP Local File Inclusion.This issue affects FW Gallery: from n/a through <= 8.0.0.
CVE-2025-30992	WordPress Puca	Hig	0.53	8.1	0.01	Jun 27, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Puca puca allows PHP Local File Inclusion.This issue affects Puca: from n/a through <= 2.6.33.
CVE-2025-28998	WordPress Serped Net	Hig	0.53	8.1	0.01	Jun 27, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in serpednet SERPed.net serped-net allows PHP Local File Inclusion.This issue affects SERPed.net: from n/a through <= 4.6.
CVE-2025-28990	snstheme SNS Vicky	Hig	0.53	8.1	0.01	Jun 27, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme SNS Vicky snsvicky allows PHP Local File Inclusion.This issue affects SNS Vicky: from n/a through <= 3.7.

CVE-2025-49036HigAug 14, 2025
WordPress
Premium Addons For Kingcomposer
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in octagonwebstudio Premium Addons for KingComposer premium-addons-for-kingcomposer allows PHP Local File Inclusion.This issue affects Premium Addons for…
CVE-2025-30635HigAug 14, 2025
Themeatelier
Idonate
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeAtelier IDonatePro idonate-pro allows PHP Local File Inclusion.This issue affects IDonatePro: from n/a through <= 2.1.9.
CVE-2025-28979HigAug 14, 2025
Thimpress
Wp Pipes
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress WP Pipes allows PHP Local File Inclusion. This issue affects WP Pipes: from n/a through 1.4.3.
CVE-2025-25172HigAug 14, 2025
beeteam368
VidMov
risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidMov vidmov allows PHP Local File Inclusion.This issue affects VidMov: from n/a through <= 1.9.4.
CVE-2025-52807HigJul 4, 2025
WordPress
Kossy
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusWP Kossy - Minimalist eCommerce WordPress Theme kossy allows PHP Local File Inclusion.This issue affects Kossy - Minimalist eCommerce WordPress Theme:…
CVE-2025-4414HigJul 4, 2025
WordPress
Cmsmasters Content Composer
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows PHP Local File Inclusion.This issue affects CMSMasters Content Composer: from n/a…
CVE-2025-52816HigJun 27, 2025
Themehunk
Zita
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita zita allows PHP Local File Inclusion.This issue affects Zita: from n/a through <= 1.6.5.
CVE-2025-52815HigJun 27, 2025
Ancorathemes
CityGov
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CityGov citygov allows PHP Local File Inclusion.This issue affects CityGov: from n/a through <= 1.9.
CVE-2025-52814HigJun 27, 2025
ovatheme
BRW
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme BRW ova-brw allows PHP Local File Inclusion.This issue affects BRW: from n/a through <= 1.8.7.
CVE-2025-52812HigJun 27, 2025
ApusWP
Domnoo
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusWP Domnoo domnoo allows PHP Local File Inclusion.This issue affects Domnoo: from n/a through <= 1.49.
CVE-2025-52809HigJun 27, 2025
WordPress
National Weather Service Alerts
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in John Russell National Weather Service Alerts national-weather-service-alerts allows PHP Local File Inclusion.This issue affects National Weather Service…
CVE-2025-52808HigJun 27, 2025
real-web
RealtyElite
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in real-web RealtyElite realtyelite allows PHP Local File Inclusion.This issue affects RealtyElite: from n/a through <= 1.0.0.
CVE-2025-52729HigJun 27, 2025
thembay
Diza
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.9.
CVE-2025-52723HigJun 27, 2025
WordPress
Networker
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codesupplyco Networker networker allows PHP Local File Inclusion.This issue affects Networker: from n/a through <= 1.2.0.
CVE-2025-49886HigJun 27, 2025
WordPress
Zikzag Core
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab Zikzag Core zikzag-core allows PHP Local File Inclusion.This issue affects Zikzag Core: from n/a through <= 1.4.5.
CVE-2025-49883HigJun 27, 2025
thembay
Greenmart
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Greenmart greenmart allows PHP Local File Inclusion.This issue affects Greenmart: from n/a through <= 4.2.3.
CVE-2025-49416HigJun 27, 2025
WordPress
Fw Gallery
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Fastw3b LLC FW Gallery fw-gallery allows PHP Local File Inclusion.This issue affects FW Gallery: from n/a through <= 8.0.0.
CVE-2025-30992HigJun 27, 2025
WordPress
Puca
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Puca puca allows PHP Local File Inclusion.This issue affects Puca: from n/a through <= 2.6.33.
CVE-2025-28998HigJun 27, 2025
WordPress
Serped Net
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in serpednet SERPed.net serped-net allows PHP Local File Inclusion.This issue affects SERPed.net: from n/a through <= 4.6.
CVE-2025-28990HigJun 27, 2025
snstheme
SNS Vicky
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme SNS Vicky snsvicky allows PHP Local File Inclusion.This issue affects SNS Vicky: from n/a through <= 3.7.