Skip to main content

LFI

1172 CVEs technique

Monthly

CVE-2025-30871 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine allows PHP Local File Inclusion.3.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-30868 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DynamicWebLab Team Manager allows PHP Local File Inclusion.1.23. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-30846 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jetmonsters Restaurant Menu by MotoPress allows PHP Local File Inclusion.4.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-30845 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in webangon The Pack Elementor addons allows PHP Local File Inclusion.1.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-30831 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themifyme Themify Event Post allows PHP Local File Inclusion.3.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-30829 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themewinter WPCafe allows PHP Local File Inclusion.2.31. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-30820 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in HT Plugins WishSuite allows PHP Local File Inclusion.4.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-30814 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme The Post Grid allows PHP Local File Inclusion.7.17. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-30785 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Download Lite allows PHP Local File Inclusion.2.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-28916 CRITICAL Act Now

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Docpro allows PHP Local File Inclusion.0.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-27015 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in designingmedia Hostiko allows PHP Local File Inclusion.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-26986 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Pearl - Corporate Business allows PHP Local File Inclusion.4.8. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-24690 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Michele Giorgi Formality allows PHP Local File Inclusion.5.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-23952 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ntm custom-field-list-widget allows PHP Local File Inclusion.5.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-23937 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound LinkedIn Lite allows PHP Local File Inclusion.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2024-13790 CRITICAL Act Now

The MinimogWP - The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.7.0 via the 'template' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure PHP RCE LFI WordPress
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-12563 HIGH This Month

The s2Member Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 250214 via the 'template' attribute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure PHP RCE LFI WordPress
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-26137 HIGH This Week

Systemic Risk Value <=2.8.0 is vulnerable to Local File Inclusion via /GetFile.aspx?ReportUrl=. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP Risk Value
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-1771 CRITICAL Act Now

The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure PHP RCE LFI WordPress +1
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2025-26933 HIGH This Week

Local File Inclusion in WC Place Order Without Payment (WordPress plugin) versions up to 2.6.7 enables remote attackers to read arbitrary files from the web server through improper filename control in PHP include/require statements. While CVSS rates this 7.5 (High), EPSS exploitation probability is low (0.24%, 46th percentile), and no active exploitation is confirmed (not in CISA KEV). Patchstack vulnerability database confirms the flaw, but no public exploit code is identified at time of analysis. Real-world risk is moderate: exploitation requires high attack complexity and user interaction, limiting mass exploitation scenarios despite network accessibility.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-26916 CRITICAL Act Now

The Massive Dynamic WordPress theme (through 8.2) by EPC is vulnerable to PHP Remote File Inclusion via an improperly controlled include/require statement. Although the attack complexity is high, successful exploitation allows unauthenticated remote code execution with scope change.

PHP LFI Information Disclosure
NVD
CVSS 3.1
9.0
EPSS
0.3%
CVE-2023-49031 MEDIUM POC This Month

Directory Traversal (Local File Inclusion) vulnerability in Tikit (now Advanced) eMarketing platform 6.8.3.0 allows a remote attacker to read arbitrary files and obtain sensitive information via a. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

LFI PHP Path Traversal Tikit Emarketing
NVD GitHub
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-27264 HIGH This Week

Local File Inclusion (LFI) in Doctor Appointment Booking WordPress plugin version 1.0.0 and earlier allows authenticated attackers with low privileges to read arbitrary files from the server filesystem, potentially exposing configuration files, credentials, and sensitive application data. Despite the network attack vector, exploitation requires high complexity conditions and low-level authentication. EPSS score of 0.24% (47th percentile) suggests low probability of widespread exploitation, with no CISA KEV listing or confirmed active exploitation at time of analysis.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-25109 HIGH This Week

Local file inclusion in WP Vehicle Manager 3.1 and earlier allows remote unauthenticated attackers to read arbitrary files on the server or potentially execute code via PHP file inclusion. Classified as CWE-98 (PHP Remote File Inclusion) but exploits local file paths. EPSS score of 0.30% (53rd percentile) indicates below-average exploitation probability, with no CISA KEV listing or confirmed active exploitation. Patchstack vulnerability database confirms the issue affects arbitrary shortcode execution paths, suggesting exploitation requires specific WordPress shortcode processing contexts.

Information Disclosure LFI PHP
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-23945 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Popliup allows PHP Local File Inclusion.1.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-9193 CRITICAL POC THREAT Emergency

The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 29.2% and no vendor patch available.

Information Disclosure PHP RCE LFI WordPress +1
NVD
CVSS 3.1
9.8
EPSS
29.2%
Threat
4.3
CVE-2024-12811 HIGH This Week

The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_slider' shortcode 'style' attribute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure PHP RCE LFI WordPress
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-26985 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Majestic Support Majestic Support allows PHP Local File Inclusion.0.6. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-26979 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FunnelKit Funnel Builder by FunnelKit allows PHP Local File Inclusion.9.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-26964 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themewinter Eventin allows PHP Local File Inclusion.0.20. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-26957 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Deetronix Affiliate Coupons allows PHP Local File Inclusion.7.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-26932 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QuantumCloud ChatBot allows PHP Local File Inclusion.3.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-27272 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in vinagecko VG PostCarousel allows PHP Local File Inclusion.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-26760 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Calculator Builder allows PHP Local File Inclusion.6.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-26757 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FULL SERVICES FULL Customer allows PHP Local File Inclusion.1.26. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-13353 HIGH PATCH This Week

The Responsive Addons for Elementor - Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.4 via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure PHP RCE LFI WordPress +2
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-13592 HIGH This Week

The Team Builder For WPBakery Page Builder(Formerly Visual Composer) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'team-builder-vc'. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure PHP RCE LFI WordPress +2
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-22656 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Oscar Alvarez Cookie Monster allows PHP Local File Inclusion.2.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-25141 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zankover Fami Sales Popup allows PHP Local File Inclusion.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2024-12859 HIGH This Month

The BoomBox Theme Extensions plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.8.0 via the 'boombox_listing' shortcode 'type' attribute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP LFI Information Disclosure RCE WordPress
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-0366 HIGH PATCH This Week

The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

PHP LFI Information Disclosure RCE WordPress
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2025-24782 MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpWax Post Grid, Slider & Carousel Ultimate allows PHP Local File. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

LFI Information Disclosure PHP
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-0682 HIGH This Month

The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP LFI Information Disclosure RCE WordPress +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-24733 MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AddonMaster Post Grid Master allows PHP Local File Inclusion.4.12. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

LFI Information Disclosure PHP
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-45077 MEDIUM This Month

IBM Maximo Asset Management 7.6.1.3 MXAPIASSET API is vulnerable to unrestricted file upload which allows authenticated low privileged user to upload restricted file types with a simple method of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM PHP LFI Microsoft File Upload +2
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-13408 HIGH PATCH This Month

The Post Grid, Slider & Carousel Ultimate - with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.10. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable.

PHP LFI Information Disclosure RCE WordPress +1
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-13593 HIGH PATCH This Month

The BMLT Meeting Map plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.6.0 via the 'bmlt_meeting_map' shortcode. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable.

PHP LFI Information Disclosure RCE WordPress +1
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-23949 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mihajlovic Nenad Improved Sale Badges - Free Version allows PHP Local File. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI Information Disclosure PHP
NVD
CVSS 3.1
8.1
EPSS
1.6%
CVE-2025-23948 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebArea Background animation blocks allows PHP Local File Inclusion.1.5. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI Information Disclosure PHP
NVD
CVSS 3.1
8.1
EPSS
1.3%
CVE-2025-23938 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Image Gallery Box by CRUDLab allows PHP Local File Inclusion.0.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

LFI Information Disclosure PHP
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2025-22311 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Private Messages for UserPro.10.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI Information Disclosure PHP
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2025-23915 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roninwp FAT Event Lite allows PHP Local File Inclusion.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

LFI Information Disclosure PHP
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2025-22508 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roninwp FAT Event Lite allows PHP Local File Inclusion.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI Information Disclosure PHP
NVD
CVSS 3.1
8.1
EPSS
1.5%
CVE-2025-22145 PHP MEDIUM PATCH This Month

Carbon is an international PHP extension for DateTime. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE LFI PHP
NVD GitHub
CVSS 4.0
6.3
EPSS
0.1%
CVE-2024-53800 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rezgo Rezgo allows PHP Local File Inclusion.15. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI Information Disclosure PHP
NVD
CVSS 3.1
8.1
EPSS
4.6%
CVE-2025-22364 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Service Shogun Ach Invoice App allows PHP Local File Inclusion.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI Information Disclosure PHP
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2025-22305 MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP OnlineSupport, Essential Plugin Hero Banner Ultimate allows PHP Local File. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

LFI Information Disclosure PHP
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-56282 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elicus WPMozo Addons Lite for Elementor allows PHP Local File Inclusion.1.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

LFI Information Disclosure PHP
NVD
CVSS 3.1
7.5
EPSS
2.5%
CVE-2024-56281 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodeMShop 워드프레스 결제 심플페이 allows PHP Local File Inclusion.2.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

LFI Information Disclosure PHP
NVD
CVSS 3.1
7.5
EPSS
2.5%
CVE-2024-49649 CRITICAL Act Now

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Abdul Hakeem Build App Online allows PHP Local File Inclusion.0.23. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI Information Disclosure PHP
NVD
CVSS 3.1
9.8
EPSS
4.6%
CVE-2024-56230 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Maidul Dynamic Product Category Grid, Slider for WooCommerce. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure WordPress LFI PHP
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2024-56216 MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themifyme Themify Builder themify-builder allows PHP Local File Inclusion.6.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-12272 HIGH This Week

The WP Travel Engine - Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress RCE LFI Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-12571 CRITICAL Act Now

The Store Locator for WordPress with Google Maps - LotsOfLocales plugin for WordPress is vulnerable to Local File Inclusion in version 3.98.9 via the 'sl_engine' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google PHP WordPress RCE LFI +1
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-54270 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axeptio Axeptio axeptio-sdk-integration allows PHP Local File Inclusion.5.4. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
8.1
EPSS
2.9%
CVE-2024-54376 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Spider Themes EazyDocs eazydocs allows PHP Local File Inclusion.8.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
2.9%
CVE-2024-12040 HIGH This Week

The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.10 via the 'theme' attribute of the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress RCE LFI Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-52385 MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpmart Team Member team-showcase-supreme.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-54225 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codegearthemes Designer designer allows PHP Local File Inclusion.4.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
2.1%
CVE-2024-12209 CRITICAL POC THREAT Act Now

The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress RCE LFI Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
15.0%
CVE-2024-53824 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in all_bootstrap_blocks All Bootstrap Blocks all-bootstrap-blocks allows PHP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
3.4%
CVE-2024-11289 HIGH This Week

The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.5.9 via several functions like penci_archive_more_post_ajax_func,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

PHP WordPress Microsoft RCE LFI +1
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2024-51541 HIGH This Week

Local File Inclusion vulnerabilities allow access to sensitive system information. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI Abb PHP Information Disclosure Aspect Ent 12 Firmware +18
NVD
CVSS 4.0
8.8
EPSS
0.3%
CVE-2024-11429 HIGH This Week

The Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews - Stars Testimonials plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress RCE LFI Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-53739 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Cool Plugins Cryptocurrency Widgets For Elementor. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP Elementor
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2024-52501 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebbyTemplate Office Locator office-locator.3.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Microsoft LFI Information Disclosure PHP
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-52499 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ibrahim Pricing table addon for elementor pricing-table-addon-for-elementor. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-52497 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in quomodosoft Shopready shopready-elementor-addon allows PHP Local File. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-52496 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AbsolutePlugins Absolute Addons For Elementor absolute-addons allows Local. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-10873 HIGH PATCH This Week

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.2 via the _load_template function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

PHP WordPress RCE LFI Information Disclosure +1
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2024-10898 HIGH This Week

The Contact Form 7 Email Add on plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the cf7_email_add_on_add_admin_template() function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure RCE WordPress LFI +1
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2024-52450 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in officialprocoders nBlocks nblocks allows PHP Local File Inclusion.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
1.8%
CVE-2024-52428 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Peter Ads Booster by Ads Pro free-wp-booster-by-ads-pro allows PHP Local File. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
8.1
EPSS
4.8%
CVE-2024-52386 MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Classified Listing classified-listing allows PHP Local File. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2024-52381 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Shoaib Rehmat ZIJ KART zij-kart allows PHP Local File Inclusion.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
8.1
EPSS
2.9%
CVE-2024-10571 CRITICAL POC THREAT Emergency

The Chartify - WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 87.0%.

PHP Information Disclosure RCE WordPress LFI +1
NVD
CVSS 3.1
9.8
EPSS
87.0%
Threat
6.1
CVE-2024-10871 CRITICAL Act Now

The Category Ajax Filter plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.8.2 via the 'params[caf-post-layout]' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP WordPress RCE LFI Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-10436 HIGH This Week

The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.1 via the get_condition_value function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress RCE LFI Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-50457 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Qode Qode Essential Addons qode-essential-addons.6.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
CVSS 3.1
7.5
EPSS
3.1%
CVE-2024-50436 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehorse Clean Retina clean-retina.0.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
CVSS 3.1
7.5
EPSS
2.5%
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine allows PHP Local File Inclusion.3.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DynamicWebLab Team Manager allows PHP Local File Inclusion.1.23. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jetmonsters Restaurant Menu by MotoPress allows PHP Local File Inclusion.4.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in webangon The Pack Elementor addons allows PHP Local File Inclusion.1.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themifyme Themify Event Post allows PHP Local File Inclusion.3.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themewinter WPCafe allows PHP Local File Inclusion.2.31. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in HT Plugins WishSuite allows PHP Local File Inclusion.4.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme The Post Grid allows PHP Local File Inclusion.7.17. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Download Lite allows PHP Local File Inclusion.2.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Docpro allows PHP Local File Inclusion.0.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in designingmedia Hostiko allows PHP Local File Inclusion.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Pearl - Corporate Business allows PHP Local File Inclusion.4.8. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Michele Giorgi Formality allows PHP Local File Inclusion.5.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ntm custom-field-list-widget allows PHP Local File Inclusion.5.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound LinkedIn Lite allows PHP Local File Inclusion.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The MinimogWP - The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.7.0 via the 'template' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure PHP RCE +2
NVD
EPSS 0% CVSS 8.8
HIGH This Month

The s2Member Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 250214 via the 'template' attribute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure PHP RCE +2
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Systemic Risk Value <=2.8.0 is vulnerable to Local File Inclusion via /GetFile.aspx?ReportUrl=. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure PHP RCE +3
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in WC Place Order Without Payment (WordPress plugin) versions up to 2.6.7 enables remote attackers to read arbitrary files from the web server through improper filename control in PHP include/require statements. While CVSS rates this 7.5 (High), EPSS exploitation probability is low (0.24%, 46th percentile), and no active exploitation is confirmed (not in CISA KEV). Patchstack vulnerability database confirms the flaw, but no public exploit code is identified at time of analysis. Real-world risk is moderate: exploitation requires high attack complexity and user interaction, limiting mass exploitation scenarios despite network accessibility.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 9.0
CRITICAL Act Now

The Massive Dynamic WordPress theme (through 8.2) by EPC is vulnerable to PHP Remote File Inclusion via an improperly controlled include/require statement. Although the attack complexity is high, successful exploitation allows unauthenticated remote code execution with scope change.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Directory Traversal (Local File Inclusion) vulnerability in Tikit (now Advanced) eMarketing platform 6.8.3.0 allows a remote attacker to read arbitrary files and obtain sensitive information via a. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

LFI PHP Path Traversal +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion (LFI) in Doctor Appointment Booking WordPress plugin version 1.0.0 and earlier allows authenticated attackers with low privileges to read arbitrary files from the server filesystem, potentially exposing configuration files, credentials, and sensitive application data. Despite the network attack vector, exploitation requires high complexity conditions and low-level authentication. EPSS score of 0.24% (47th percentile) suggests low probability of widespread exploitation, with no CISA KEV listing or confirmed active exploitation at time of analysis.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in WP Vehicle Manager 3.1 and earlier allows remote unauthenticated attackers to read arbitrary files on the server or potentially execute code via PHP file inclusion. Classified as CWE-98 (PHP Remote File Inclusion) but exploits local file paths. EPSS score of 0.30% (53rd percentile) indicates below-average exploitation probability, with no CISA KEV listing or confirmed active exploitation. Patchstack vulnerability database confirms the issue affects arbitrary shortcode execution paths, suggesting exploitation requires specific WordPress shortcode processing contexts.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Popliup allows PHP Local File Inclusion.1.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 29% 4.3 CVSS 9.8
CRITICAL POC THREAT Emergency

The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 29.2% and no vendor patch available.

Information Disclosure PHP RCE +3
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_slider' shortcode 'style' attribute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure PHP RCE +2
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Majestic Support Majestic Support allows PHP Local File Inclusion.0.6. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FunnelKit Funnel Builder by FunnelKit allows PHP Local File Inclusion.9.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themewinter Eventin allows PHP Local File Inclusion.0.20. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Deetronix Affiliate Coupons allows PHP Local File Inclusion.7.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QuantumCloud ChatBot allows PHP Local File Inclusion.3.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in vinagecko VG PostCarousel allows PHP Local File Inclusion.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Calculator Builder allows PHP Local File Inclusion.6.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FULL SERVICES FULL Customer allows PHP Local File Inclusion.1.26. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

The Responsive Addons for Elementor - Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.4 via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure PHP RCE +4
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Team Builder For WPBakery Page Builder(Formerly Visual Composer) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'team-builder-vc'. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure PHP RCE +4
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Oscar Alvarez Cookie Monster allows PHP Local File Inclusion.2.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zankover Fami Sales Popup allows PHP Local File Inclusion.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Month

The BoomBox Theme Extensions plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.8.0 via the 'boombox_listing' shortcode 'type' attribute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP LFI Information Disclosure +2
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

PHP LFI Information Disclosure +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpWax Post Grid, Slider & Carousel Ultimate allows PHP Local File. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Month

The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP LFI Information Disclosure +3
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AddonMaster Post Grid Master allows PHP Local File Inclusion.4.12. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

IBM Maximo Asset Management 7.6.1.3 MXAPIASSET API is vulnerable to unrestricted file upload which allows authenticated low privileged user to upload restricted file types with a simple method of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM PHP LFI +4
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Month

The Post Grid, Slider & Carousel Ultimate - with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.10. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable.

PHP LFI Information Disclosure +3
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Month

The BMLT Meeting Map plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.6.0 via the 'bmlt_meeting_map' shortcode. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable.

PHP LFI Information Disclosure +3
NVD
EPSS 2% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mihajlovic Nenad Improved Sale Badges - Free Version allows PHP Local File. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI Information Disclosure PHP
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebArea Background animation blocks allows PHP Local File Inclusion.1.5. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI Information Disclosure PHP
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Image Gallery Box by CRUDLab allows PHP Local File Inclusion.0.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

LFI Information Disclosure PHP
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Private Messages for UserPro.10.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI Information Disclosure PHP
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roninwp FAT Event Lite allows PHP Local File Inclusion.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

LFI Information Disclosure PHP
NVD
EPSS 2% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roninwp FAT Event Lite allows PHP Local File Inclusion.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Carbon is an international PHP extension for DateTime. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE LFI PHP
NVD GitHub
EPSS 5% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rezgo Rezgo allows PHP Local File Inclusion.15. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI Information Disclosure PHP
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Service Shogun Ach Invoice App allows PHP Local File Inclusion.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP OnlineSupport, Essential Plugin Hero Banner Ultimate allows PHP Local File. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

LFI Information Disclosure PHP
NVD
EPSS 3% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elicus WPMozo Addons Lite for Elementor allows PHP Local File Inclusion.1.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

LFI Information Disclosure PHP
NVD
EPSS 3% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodeMShop 워드프레스 결제 심플페이 allows PHP Local File Inclusion.2.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

LFI Information Disclosure PHP
NVD
EPSS 5% CVSS 9.8
CRITICAL Act Now

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Abdul Hakeem Build App Online allows PHP Local File Inclusion.0.23. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI Information Disclosure PHP
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Maidul Dynamic Product Category Grid, Slider for WooCommerce. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure WordPress LFI +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themifyme Themify Builder themify-builder allows PHP Local File Inclusion.6.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The WP Travel Engine - Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress RCE +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The Store Locator for WordPress with Google Maps - LotsOfLocales plugin for WordPress is vulnerable to Local File Inclusion in version 3.98.9 via the 'sl_engine' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google PHP WordPress +3
NVD
EPSS 3% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axeptio Axeptio axeptio-sdk-integration allows PHP Local File Inclusion.5.4. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 3% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Spider Themes EazyDocs eazydocs allows PHP Local File Inclusion.8.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.10 via the 'theme' attribute of the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress RCE +2
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpmart Team Member team-showcase-supreme.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codegearthemes Designer designer allows PHP Local File Inclusion.4.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 15% CVSS 9.8
CRITICAL POC THREAT Act Now

The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress RCE +2
NVD GitHub
EPSS 3% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in all_bootstrap_blocks All Bootstrap Blocks all-bootstrap-blocks allows PHP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 1% CVSS 8.1
HIGH This Week

The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.5.9 via several functions like penci_archive_more_post_ajax_func,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

PHP WordPress Microsoft +3
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Local File Inclusion vulnerabilities allow access to sensitive system information. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI Abb PHP +20
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews - Stars Testimonials plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress RCE +2
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Cool Plugins Cryptocurrency Widgets For Elementor. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebbyTemplate Office Locator office-locator.3.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Microsoft LFI Information Disclosure +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ibrahim Pricing table addon for elementor pricing-table-addon-for-elementor. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in quomodosoft Shopready shopready-elementor-addon allows PHP Local File. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AbsolutePlugins Absolute Addons For Elementor absolute-addons allows Local. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.2 via the _load_template function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

PHP WordPress RCE +3
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Contact Form 7 Email Add on plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the cf7_email_add_on_add_admin_template() function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure RCE +3
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in officialprocoders nBlocks nblocks allows PHP Local File Inclusion.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 5% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Peter Ads Booster by Ads Pro free-wp-booster-by-ads-pro allows PHP Local File. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Classified Listing classified-listing allows PHP Local File. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 3% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Shoaib Rehmat ZIJ KART zij-kart allows PHP Local File Inclusion.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD
EPSS 87% 6.1 CVSS 9.8
CRITICAL POC THREAT Emergency

The Chartify - WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 87.0%.

PHP Information Disclosure RCE +3
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The Category Ajax Filter plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.8.2 via the 'params[caf-post-layout]' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP WordPress RCE +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.1 via the get_condition_value function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress RCE +2
NVD
EPSS 3% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Qode Qode Essential Addons qode-essential-addons.6.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
EPSS 2% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehorse Clean Retina clean-retina.0.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
Prev Page 12 of 14 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy