CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
VariantDraftLikelihood: High
Description
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-193
CVEs mapped to this weakness (1,010)
page 48 of 51| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-26964 | Hig | 0.49 | 7.5 | 0.01 | Feb 25, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through <= 4.0.20. | |
| CVE-2025-26957 | Hig | 0.49 | 7.5 | 0.01 | Feb 25, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Deetronix Affiliate Coupons affiliate-coupons allows PHP Local File Inclusion.This issue affects Affiliate Coupons: from n/a through <= 1.7.3. | |
| CVE-2025-26932 | Hig | 0.49 | 7.5 | 0.01 | Feb 25, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QuantumCloud ChatBot chatbot allows PHP Local File Inclusion.This issue affects ChatBot: from n/a through <= 6.3.5. | |
| CVE-2025-27272 | Hig | 0.49 | 7.5 | 0.01 | Feb 24, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in vinagecko VG PostCarousel vg-postcarousel allows PHP Local File Inclusion.This issue affects VG PostCarousel: from n/a through <= 1.1. | |
| CVE-2025-26760 | Hig | 0.49 | 7.5 | 0.01 | Feb 22, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Calculator Builder calculator-builder allows PHP Local File Inclusion.This issue affects Calculator Builder: from n/a through <= 1.6.2. | |
| CVE-2025-26757 | Hig | 0.49 | 7.5 | 0.01 | Feb 22, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FULL SERVICES FULL Customer full-customer allows PHP Local File Inclusion.This issue affects FULL Customer: from n/a through <= 3.1.26. | |
| CVE-2025-25141 | Hig | 0.49 | 7.5 | 0.01 | Feb 7, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zankover Fami Sales Popup fami-sales-popup allows PHP Local File Inclusion.This issue affects Fami Sales Popup: from n/a through <= 2.0.0. | |
| CVE-2025-23938 | Hig | 0.49 | 7.5 | 0.02 | Jan 22, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CRUDLab Image Gallery Box by CRUDLab image-gallery-box-by-crudlab allows PHP Local File Inclusion.This issue affects Image Gallery Box by CRUDLab: from n/a through <= 1.0.3. | |
| CVE-2025-22311 | Hig | 0.49 | 7.5 | 0.01 | Jan 21, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DeluxeThemes Private Messages for UserPro userpro-messaging.This issue affects Private Messages for UserPro: from n/a through <= 4.10.0. | |
| CVE-2025-23915 | Hig | 0.49 | 7.5 | 0.01 | Jan 16, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Event Lite fat-event-lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a through <= 1.1. | |
| CVE-2025-22364 | Hig | 0.49 | 7.5 | 0.01 | Jan 7, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Service Shogun Ach Invoice App ach-invoice-app allows PHP Local File Inclusion.This issue affects Ach Invoice App: from n/a through <= 1.0.1. | |
| CVE-2024-56282 | Hig | 0.49 | 7.5 | 0.03 | Jan 7, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elicus WPMozo Addons Lite for Elementor wpmozo-addons-lite-for-elementor allows PHP Local File Inclusion.This issue affects WPMozo Addons Lite for Elementor: from n/a through <= 1.1.0. | |
| CVE-2024-56281 | Hig | 0.49 | 7.5 | 0.03 | Jan 7, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codemstory 워드프레스 결제 심플페이 pgall-for-woocommerce allows PHP Local File Inclusion.This issue affects 워드프레스 결제 심플페이: from n/a through <= 5.2.0. | |
| CVE-2024-56230 | Hig | 0.49 | 7.5 | 0.02 | Dec 31, 2024 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Maidul Dynamic Product Category Grid, Slider for WooCommerce dynamic-product-categories-design allows PHP Local File Inclusion.This issue affects Dynamic Product Category Grid, Slider for WooCommerce: from n/a through <= 1.1.3. | |
| CVE-2024-54376 | Hig | 0.49 | 7.5 | 0.04 | Dec 16, 2024 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Spider Themes EazyDocs eazydocs allows PHP Local File Inclusion.This issue affects EazyDocs: from n/a through <= 2.8.0. | |
| CVE-2024-54225 | Hig | 0.49 | 7.5 | 0.02 | Dec 9, 2024 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codegearthemes Designer designer allows PHP Local File Inclusion.This issue affects Designer: from n/a through <= 1.4.1. | |
| CVE-2024-53824 | Hig | 0.49 | 7.5 | 0.05 | Dec 6, 2024 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in all_bootstrap_blocks All Bootstrap Blocks all-bootstrap-blocks allows PHP Local File Inclusion.This issue affects All Bootstrap Blocks: from n/a through <= 1.3.19. | |
| CVE-2024-52501 | Hig | 0.49 | 7.5 | 0.01 | Nov 28, 2024 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebbyTemplate Office Locator office-locator.This issue affects Office Locator: from n/a through <= 1.3.0. | |
| CVE-2024-52499 | Hig | 0.49 | 7.5 | 0.01 | Nov 28, 2024 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ibrahim Pricing table addon for elementor pricing-table-addon-for-elementor allows PHP Local File Inclusion.This issue affects Pricing table addon for elementor: from n/a through <= 1.0.0. | |
| CVE-2024-52497 | Hig | 0.49 | 7.5 | 0.01 | Nov 28, 2024 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in quomodosoft Shopready shopready-elementor-addon allows PHP Local File Inclusion.This issue affects Shopready: from n/a through <= 3.6. |