CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
VariantDraftLikelihood: High
Description
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-193
CVEs mapped to this weakness (1,010)
page 44 of 51| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-49313 | Hig | 0.49 | 7.5 | 0.00 | Jun 6, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme BRW ova-brw allows PHP Local File Inclusion.This issue affects BRW: from n/a through <= 1.8.6. | |
| CVE-2025-49308 | Hig | 0.49 | 7.5 | 0.00 | Jun 6, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.5.1. | |
| CVE-2025-49307 | Hig | 0.49 | 7.5 | 0.00 | Jun 6, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Magazine3 WP Multilang wp-multilang allows PHP Local File Inclusion.This issue affects WP Multilang: from n/a through <= 2.4.19. | |
| CVE-2025-30999 | Hig | 0.49 | 7.5 | 0.00 | Jun 6, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Fahad Mahmood External Store for Shopify wp-shopify allows PHP Local File Inclusion.This issue affects External Store for Shopify: from n/a through <= 1.5.9. | |
| CVE-2023-25995 | Hig | 0.49 | 7.5 | 0.00 | Jun 6, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in choicehomemortgage AI Mortgage Calculator allows PHP Local File Inclusion. This issue affects AI Mortgage Calculator: from n/a through 1.0.1. | |
| CVE-2025-46454 | Hig | 0.49 | 7.5 | 0.01 | May 23, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in svil4ok Meta Keywords & Description wp-meta-keywords-meta-description allows PHP Local File Inclusion.This issue affects Meta Keywords & Description: from n/a through <= 0.8. | |
| CVE-2025-39411 | Hig | 0.49 | 7.5 | 0.01 | May 19, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Indie_Plugins WhatsApp Click to Chat Plugin for WordPress wpt-whatsapp.This issue affects WhatsApp Click to Chat Plugin for WordPress: from n/a through <= 2.2.12. | |
| CVE-2025-39396 | Hig | 0.49 | 7.5 | 0.00 | May 19, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Crocoblock JetReviews jet-reviews allows PHP Local File Inclusion.This issue affects JetReviews: from n/a through <= 2.3.6. | |
| CVE-2025-26735 | Hig | 0.49 | 7.5 | 0.01 | May 19, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Candid themes Grip.This issue affects Grip: from n/a through 1.0.9. | |
| CVE-2025-39364 | Hig | 0.49 | 7.5 | 0.00 | May 19, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PluginEver Product Category Slider for WooCommerce woo-category-slider-by-pluginever allows PHP Local File Inclusion.This issue affects Product Category Slider for WooCommerce: from n/a through <= 4.3.4. | |
| CVE-2025-48136 | Hig | 0.49 | 7.5 | 0.00 | May 16, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Estatik Mortgage Calculator Estatik estatik-mortgage-calculator allows PHP Local File Inclusion.This issue affects Mortgage Calculator Estatik: from n/a through <= 2.0.12. | |
| CVE-2025-47693 | Hig | 0.49 | 7.5 | 0.00 | May 16, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Services Booking fat-services-booking allows PHP Local File Inclusion.This issue affects FAT Services Booking: from n/a through <= 5.5. | |
| CVE-2025-39507 | Hig | 0.49 | 7.5 | 0.00 | May 16, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Nasa Core nasa-core allows PHP Local File Inclusion.This issue affects Nasa Core: from n/a through < 6.4.4. | |
| CVE-2025-47653 | Hig | 0.49 | 7.5 | 0.00 | May 7, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in tggfref WP-Recall allows PHP Local File Inclusion. This issue affects WP-Recall: from n/a through 16.26.14. | |
| CVE-2025-47531 | Hig | 0.49 | 7.5 | 0.00 | May 7, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Xylus Themes XT Event Widget for Social Events xt-facebook-events allows PHP Local File Inclusion.This issue affects XT Event Widget for Social Events: from n/a through <= 1.1.7. | |
| CVE-2025-47510 | Hig | 0.49 | 7.5 | 0.00 | May 7, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fullworks Display Eventbrite Events widget-for-eventbrite-api allows PHP Local File Inclusion.This issue affects Display Eventbrite Events: from n/a through < 6.3. | |
| CVE-2025-47508 | Hig | 0.49 | 7.5 | 0.00 | May 7, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ruben Garcia GamiPress gamipress allows PHP Local File Inclusion.This issue affects GamiPress: from n/a through <= 7.3.7. | |
| CVE-2025-47498 | Hig | 0.49 | 7.5 | 0.00 | May 7, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nicdark Hotel Booking nd-booking allows PHP Local File Inclusion.This issue affects Hotel Booking: from n/a through <= 3.6. | |
| CVE-2025-47496 | Hig | 0.49 | 7.5 | 0.00 | May 7, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress PublishPress Authors publishpress-authors allows PHP Local File Inclusion.This issue affects PublishPress Authors: from n/a through <= 4.7.5. | |
| CVE-2025-47494 | Hig | 0.49 | 7.5 | 0.00 | May 7, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON eventon-lite allows PHP Local File Inclusion.This issue affects EventON: from n/a through <= 2.4.1. |