How to fix EUVD-2023-29882?

Within 24 hours: Identify all systems running AI Mortgage Calculator and assess customer impact; disable the plugin if not critical to operations. Within 7 days: Implement WAF rules to block malicious file inclusion attempts and restrict plugin access to authorized users only; evaluate alternative mortgage calculator solutions. Within 30 days: Contact vendor for patch timeline; if unavailable, plan plugin removal and migration to patched alternative solution.

Is PHP affected by EUVD-2023-29882?

A high-severity PHP Local File Inclusion vulnerability exists in the AI Mortgage Calculator plugin (versions through 1.0.1) that could allow attackers to access sensitive files on affected systems.

EUVD-2023-29882

| CVE-2023-25995 HIGH

2025-06-06 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 18:10 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 18:10 euvd

EUVD-2023-29882

CVE Published

Jun 06, 2025 - 13:15 nvd

HIGH 7.5

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in choicehomemortgage AI Mortgage Calculator allows PHP Local File Inclusion. This issue affects AI Mortgage Calculator: from n/a through 1.0.1.

Analysis

PHP Local File Inclusion (LFI) vulnerability in choicehomemortgage AI Mortgage Calculator versions up to 1.0.1, caused by improper input validation on file inclusion statements. An authenticated attacker with low privileges can exploit this vulnerability over the network to read arbitrary files from the server, potentially leading to information disclosure, privilege escalation, or remote code execution. The high CVSS score of 7.5 reflects the severity of potential impacts (confidentiality, integrity, availability compromise), though the requirement for authenticated access and high attack complexity somewhat limit real-world exploitability.

Technical Context

This vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), a classic PHP security flaw where user-controlled input is passed directly to include(), require(), include_once(), or require_once() functions without proper validation or sanitization. The AI Mortgage Calculator plugin fails to adequately filter or whitelist filenames before including them, allowing attackers to traverse the filesystem and include arbitrary local files (LFI, not RFI despite the description mentioning RFI). In PHP environments, this can lead to disclosure of sensitive files (configuration files containing database credentials, /etc/passwd on Linux systems, application source code) or, in specific conditions with log poisoning or file upload chains, potential code execution. The affected product is choicehomemortgage AI Mortgage Calculator (CPE context suggests WordPress plugin distribution), versions from unspecified baseline through 1.0.1.

Affected Products

AI Mortgage Calculator (1.0.1 and earlier (baseline version not specified))

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +38

POC: 0

EUVD-2023-29882 vulnerability details – vuln.today

Back

EUVD-2023-29882

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

EUVD-2023-29882

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code