VYPR

CWE-98

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

VariantDraftLikelihood: High

Description

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-193

CVEs mapped to this weakness (1,051)

page 3 of 53
  • CVE-2026-8208HigMay 9, 2026
    risk 0.58cvss epss 0.00

    Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation…

  • CVE-2025-52562CriJun 23, 2025
    risk 0.58cvss 10.0epss 0.02

    Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by…

  • CVE-2024-3807HigMay 14, 2024
    risk 0.58cvss 8.8epss 0.02

    The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via 'porto_page_header_shortcode_type', 'slideshow_type' and 'post_layout' post meta. This makes it possible for authenticated attackers, with contributor-level and…

  • CVE-2026-44239HigMay 29, 2026
    risk 0.57cvss 8.8epss 0.00

    FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php…

  • CVE-2026-7522HigMay 20, 2026
    risk 0.57cvss 8.8epss 0.01

    The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.0 via the 'template' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and…

  • CVE-2026-41228CriApr 23, 2026
    risk 0.57cvss 9.9epss 0.01

    Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set…

  • CVE-2026-1620HigApr 16, 2026
    risk 0.57cvss 8.8epss 0.01

    The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate…

  • CVE-2025-15368HigFeb 4, 2026
    risk 0.57cvss 8.8epss 0.01

    The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and…

  • CVE-2025-67515HigDec 9, 2025
    risk 0.57cvss 8.8epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion.This issue affects Wilmër: from n/a through < 3.5.

  • CVE-2025-13088HigNov 18, 2025
    risk 0.57cvss 8.8epss 0.00

    The Category and Product Woocommerce Tabs plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. This is due to insufficient input validation on the 'template' parameter in the categoryProductTab() function. This makes it possible…

  • CVE-2022-4982HigNov 12, 2025
    risk 0.57cvss epss 0.00

    DBLTek GoIP-1 firmware versions up to and including GHSFVT-1.1-67-5 contain a local file inclusion vulnerability. The device's web server exposes handlers (`frame.html` and `frame.A100.html`) that accept a path parameter (`content` or `sidebar`) which is not properly validated…

  • CVE-2025-7721CriOct 3, 2025
    risk 0.57cvss 9.8epss 0.01

    The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.7.3 via the task parameter. This makes it possible for unauthenticated attackers to include and execute…

  • CVE-2025-60126HigSep 26, 2025
    risk 0.57cvss 8.8epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PluginOps Testimonial Slider testimonial-add allows PHP Local File Inclusion.This issue affects Testimonial Slider: from n/a through <= 3.5.8.6.

  • CVE-2025-8142HigAug 16, 2025
    risk 0.57cvss 8.8epss 0.00

    The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.6.7 via the 'header_layout' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php…

  • CVE-2025-52732HigAug 14, 2025
    risk 0.57cvss 8.8epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RealMag777 GMap Targeting gmap-targeting allows PHP Local File Inclusion.This issue affects GMap Targeting: from n/a through <= 1.1.6.

  • CVE-2025-47576HigMay 19, 2025
    risk 0.57cvss 8.8epss 0.00

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bringthepixel Bimber - Viral Magazine WordPress Theme.This issue affects Bimber - Viral Magazine WordPress Theme: from n/a through 9.2.5.

  • CVE-2025-39570HigApr 16, 2025
    risk 0.57cvss 8.8epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Lomu WPCOM Member wpcom-member allows PHP Local File Inclusion.This issue affects WPCOM Member: from n/a through <= 1.7.7.

  • CVE-2025-32614HigApr 11, 2025
    risk 0.57cvss 8.8epss 0.02

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON eventon-lite allows PHP Local File Inclusion.This issue affects EventON: from n/a through <= 2.4.

  • CVE-2025-32146HigApr 4, 2025
    risk 0.57cvss 8.8epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Job Manager js-jobs allows PHP Local File Inclusion.This issue affects JS Job Manager: from n/a through <= 2.0.2.

  • CVE-2025-32142HigApr 4, 2025
    risk 0.57cvss 8.8epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Stylemix Motors motors-car-dealership-classified-listings allows PHP Local File Inclusion.This issue affects Motors: from n/a through <= 1.4.71.