CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Description
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-193
CVEs mapped to this weakness (1,051)
page 5 of 53| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-3500 | Hig | 0.57 | 8.8 | 0.01 | May 2, 2024 | The ElementsKit Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.0 via the Price Menu, Hotspot, and Advanced Toggle widgets. This makes it possible for authenticated attackers, with contributor-level access and above, to… | ||
| CVE-2024-2411 | Cri | 0.57 | 9.8 | 0.02 | Mar 29, 2024 | The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'modal' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution… | ||
| CVE-2024-1382 | Hig | 0.57 | 8.8 | 0.01 | Mar 7, 2024 | The Restaurant Reservations plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the nd_rst_layout attribute of the nd_rst_search shortcode. This makes it possible for authenticated attackers, with contributor-level access and… | ||
| CVE-2023-5815 | Hig | 0.57 | 8.1 | 0.04 | Nov 22, 2023 | The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in all versions up to, and including,… | ||
| CVE-2017-14095 | Hig | 0.57 | 8.1 | 0.12 | Jan 19, 2018 | A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a local file inclusion on a vulnerable system. | ||
| CVE-2025-32925 | Hig | 0.54 | 8.3 | 0.00 | May 19, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FantasticPlugins SUMO Reward Points rewardsystem allows PHP Local File Inclusion.This issue affects SUMO Reward Points: from n/a through <= 30.7.0. | ||
| CVE-2026-9662 | Hig | 0.53 | 8.1 | 0.01 | Jun 9, 2026 | The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in… | ||
| CVE-2026-39553 | Hig | 0.53 | 8.1 | 0.00 | Jun 2, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes WaveRide allows PHP Local File Inclusion. This issue affects WaveRide: from n/a through 1.4. | ||
| CVE-2026-39552 | Hig | 0.53 | 8.1 | 0.00 | Jun 2, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Code Supply Co. Blueprint allows PHP Local File Inclusion. This issue affects Blueprint: from n/a before 1.1.5. | ||
| CVE-2025-69369 | Hig | 0.53 | 8.1 | 0.00 | Jun 2, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Racquet allows PHP Local File Inclusion. This issue affects Racquet: from n/a through 1.12.0. | ||
| CVE-2025-68886 | Hig | 0.53 | 8.1 | 0.00 | Jun 2, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in androThemes Cookiteer allows PHP Local File Inclusion. This issue affects Cookiteer: from n/a through 1.4.8. | ||
| CVE-2025-58897 | Hig | 0.53 | 8.1 | 0.00 | Jun 2, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Fermentio allows PHP Local File Inclusion. This issue affects Fermentio: from n/a through 1.5.0. | ||
| CVE-2025-58707 | Hig | 0.53 | 8.1 | 0.00 | Jun 2, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Spin allows PHP Local File Inclusion. This issue affects Spin: from n/a through 1.8. | ||
| CVE-2025-58705 | Hig | 0.53 | 8.1 | 0.00 | Jun 2, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Crafti allows PHP Local File Inclusion. This issue affects Crafti: from n/a through 1.12. | ||
| CVE-2025-53440 | Hig | 0.53 | 8.1 | 0.00 | Jun 2, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Confidant allows PHP Local File Inclusion. This issue affects Confidant: from n/a through 1.4. | ||
| CVE-2025-58913 | — | Hig | 0.53 | 8.1 | 0.00 | Apr 10, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro videopro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through <= 2.3.8.1. | |
| CVE-2026-32531 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kunco kunco allows PHP Local File Inclusion.This issue affects Kunco: from n/a through < 1.4.5. | ||
| CVE-2026-32505 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS Kiddy kiddy allows PHP Local File Inclusion.This issue affects Kiddy: from n/a through <= 2.0.8. | ||
| CVE-2026-32504 | Hig | 0.53 | 8.1 | 0.00 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS VintWood vintwood allows PHP Local File Inclusion.This issue affects VintWood: from n/a through <= 1.1.8. | ||
| CVE-2026-32503 | Hig | 0.53 | 8.1 | 0.01 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS Trendustry trendustry allows PHP Local File Inclusion.This issue affects Trendustry: from n/a through <= 1.1.4. |
- risk 0.57cvss 8.8epss 0.01
The ElementsKit Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.0 via the Price Menu, Hotspot, and Advanced Toggle widgets. This makes it possible for authenticated attackers, with contributor-level access and above, to…
- risk 0.57cvss 9.8epss 0.02
The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'modal' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution…
- risk 0.57cvss 8.8epss 0.01
The Restaurant Reservations plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the nd_rst_layout attribute of the nd_rst_search shortcode. This makes it possible for authenticated attackers, with contributor-level access and…
- risk 0.57cvss 8.1epss 0.04
The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in all versions up to, and including,…
- risk 0.57cvss 8.1epss 0.12
A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a local file inclusion on a vulnerable system.
- risk 0.54cvss 8.3epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FantasticPlugins SUMO Reward Points rewardsystem allows PHP Local File Inclusion.This issue affects SUMO Reward Points: from n/a through <= 30.7.0.
- risk 0.53cvss 8.1epss 0.01
The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in…
- risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes WaveRide allows PHP Local File Inclusion. This issue affects WaveRide: from n/a through 1.4.
- risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Code Supply Co. Blueprint allows PHP Local File Inclusion. This issue affects Blueprint: from n/a before 1.1.5.
- risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Racquet allows PHP Local File Inclusion. This issue affects Racquet: from n/a through 1.12.0.
- risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in androThemes Cookiteer allows PHP Local File Inclusion. This issue affects Cookiteer: from n/a through 1.4.8.
- risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Fermentio allows PHP Local File Inclusion. This issue affects Fermentio: from n/a through 1.5.0.
- risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Spin allows PHP Local File Inclusion. This issue affects Spin: from n/a through 1.8.
- risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Crafti allows PHP Local File Inclusion. This issue affects Crafti: from n/a through 1.12.
- risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Confidant allows PHP Local File Inclusion. This issue affects Confidant: from n/a through 1.4.
- risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro videopro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through <= 2.3.8.1.
- risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kunco kunco allows PHP Local File Inclusion.This issue affects Kunco: from n/a through < 1.4.5.
- risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS Kiddy kiddy allows PHP Local File Inclusion.This issue affects Kiddy: from n/a through <= 2.0.8.
- risk 0.53cvss 8.1epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS VintWood vintwood allows PHP Local File Inclusion.This issue affects VintWood: from n/a through <= 1.1.8.
- risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS Trendustry trendustry allows PHP Local File Inclusion.This issue affects Trendustry: from n/a through <= 1.1.4.