Lfi
Monthly
The CasaMia WordPress theme through version 1.1.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. This high-severity flaw (CVSS 8.1) could expose sensitive configuration files, database credentials, and other confidential data stored on affected WordPress installations. No patch is currently available for this vulnerability.
Improper file inclusion handling in PHP-based The Issue theme versions 1.6.11 and earlier enables attackers to include and execute arbitrary local files, potentially leading to remote code execution. An unauthenticated attacker can exploit this vulnerability over the network to read sensitive files or execute malicious PHP code. No patch is currently available.
The FindAll plugin for PHP through version 1.4 contains a local file inclusion vulnerability that enables attackers to read arbitrary files from the affected system through improper input validation on file inclusion statements. An unauthenticated remote attacker can exploit this vulnerability to access sensitive files and potentially execute arbitrary code with the privileges of the web server process. No patch is currently available for this vulnerability.
Local file inclusion in AncoraThemes Felizia through version 1.3.4 enables unauthenticated attackers to read arbitrary files from the affected server through improper input validation on file inclusion parameters. The vulnerability carries high severity with a CVSS score of 8.1 and impacts confidentiality, integrity, and availability of affected systems. No patch is currently available for this vulnerability.
Elated-Themes Etchy through version 1.0 contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the affected server without authentication. The vulnerability stems from improper validation of filename parameters in include/require statements, allowing directory traversal attacks to access sensitive system files. While a patch is not currently available, the low EPSS score suggests limited real-world exploitation likelihood at this time.
Mikado-Themes Wanderland versions 1.5 and earlier contain a local file inclusion vulnerability in PHP that enables attackers to read arbitrary files from the affected server without authentication. The vulnerability stems from improper validation of file paths in include/require statements, allowing an unauthenticated remote attacker to access sensitive system files. No patch is currently available for this vulnerability.
Local file inclusion in Elated-Themes Askka version 1.0 and earlier allows unauthenticated remote attackers to read arbitrary files from the affected server through improper validation of include/require statements. The vulnerability carries high severity with potential for information disclosure and system compromise. No patch is currently available for this vulnerability.
ThemeREX Hoverex versions up to 1.5.10 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server through improper handling of include/require statements. An attacker with network access can exploit this to disclose sensitive configuration files, source code, or other critical data without authentication. No patch is currently available for this vulnerability.
Don Peppe WordPress theme version 1.3 and earlier contains a local file inclusion vulnerability in its file handling mechanism that could allow an attacker to read arbitrary files from the affected server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements, enabling attackers to traverse the filesystem and access sensitive data. Currently, no patch is available for this vulnerability.
Select-Themes Prowess version 1.8.1 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the affected system. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access sensitive data. No patch is currently available for this high-severity vulnerability (CVSS 8.1).
ThemeREX Alliance versions up to 3.1.1 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server through improper handling of filename parameters in include/require statements. With a CVSS score of 8.1, this vulnerability enables attackers to access sensitive system files and potentially execute code depending on server configuration. No patch is currently available for affected versions.
LaunchandSell Tribe plugin for PHP versions through 1.7.3 contains a local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files on the server. The flaw stems from improper validation of filenames in include/require statements, enabling attackers to access sensitive data without authentication. No patch is currently available for this vulnerability.
Elated-Themes Zentrum version 1.0 and earlier contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the server without authentication. The high CVSS score of 8.1 reflects the potential for complete compromise of confidentiality and integrity, though exploitation requires specific conditions. No patch is currently available for affected installations.
Local file inclusion in AncoraThemes Green Planet through version 1.1.14 allows unauthenticated attackers to read arbitrary files on affected servers by manipulating include/require statements in PHP. This CWE-98 vulnerability carries a CVSS score of 8.1 with high impact on confidentiality and integrity, though no patch is currently available.
AncoraThemes Playa versions up to 1.3.9 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected server. The flaw stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive system files. No patch is currently available for this vulnerability.
Local file inclusion in Elated-Themes Helvig through version 1.0 enables unauthenticated remote attackers to read arbitrary files from affected systems. The vulnerability stems from improper control of filename parameters in PHP include/require statements, allowing attackers to traverse the filesystem and access sensitive data. No patch is currently available.
ElectroServ through version 1.3.2 contains a local file inclusion vulnerability in its PHP-based file handling that enables unauthenticated attackers to read arbitrary files from the server. An attacker can exploit this weakness over the network without user interaction to access sensitive data or potentially execute code through log poisoning techniques. No patch is currently available for this vulnerability.
Local file inclusion in AncoraThemes Crown Art through version 1.2.11 enables unauthenticated remote attackers to read arbitrary files from the affected server through improper handling of include/require statements. This vulnerability carries a high CVSS score of 8.1 and allows potential access to sensitive configuration files and application data. No patch is currently available for this vulnerability.
PHP Local File Inclusion in AncoraThemes CloudMe through version 1.2.2 enables unauthenticated attackers to read arbitrary files on affected systems through improper filename validation in include/require statements. The high CVSS score of 8.1 reflects the potential for confidentiality and integrity compromise, though no patch is currently available.
Woopy through version 1.2 by AncoraThemes contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected system. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the file system and access sensitive data. No patch is currently available for this vulnerability.
AncoraThemes Wabi-Sabi theme version 1.2 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of file inclusion parameters. An attacker can exploit this to access sensitive configuration files, database credentials, and other confidential data stored on the affected WordPress installation. No patch is currently available.
Mikado-Themes Verdure WordPress theme version 1.6 and earlier contains an improper file inclusion vulnerability that enables attackers to read arbitrary files from the affected server without authentication. The flaw in the theme's include/require statement handling allows local and remote file inclusion attacks, potentially exposing sensitive configuration files and other critical data. No patch is currently available for this vulnerability.
The Tooth Fairy WordPress theme through version 1.16 contains a local file inclusion vulnerability in its PHP file handling that allows attackers to read arbitrary files from the server. An unauthenticated remote attacker can exploit this by manipulating file inclusion parameters to access sensitive data or potentially execute code. No patch is currently available for this vulnerability.
Mikado-Themes GoTravel versions 2.1 and earlier contain a local file inclusion vulnerability in PHP file handling that allows unauthenticated attackers to read arbitrary files from the affected server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements, enabling attackers to traverse the filesystem and access sensitive data without authentication.
Elated-Themes Sweet Jane theme through version 1.2 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive information. No patch is currently available for affected installations.
Local file inclusion in AncoraThemes Shaha versions up to 1.1.2 enables attackers to read arbitrary files through improper input validation in PHP include/require statements. An unauthenticated remote attacker can exploit this vulnerability to access sensitive server files and potentially execute arbitrary code, with no patch currently available.
SetSail theme versions 1.8 and earlier for PHP are vulnerable to local file inclusion attacks due to improper input validation on file inclusion statements, potentially allowing attackers to read arbitrary files on the server. The vulnerability carries a high CVSS score of 8.1 and affects confidentiality, integrity, and availability, though no patch is currently available. Remote exploitation is possible under specific conditions, and affected users should implement access controls or upgrade once patches become available.
AncoraThemes Quantum theme versions up to 1.0 contain a local file inclusion vulnerability that enables attackers to read arbitrary files from the server through improper input validation in file inclusion functions. An unauthenticated remote attacker can exploit this to access sensitive configuration files and potentially execute arbitrary code on affected WordPress installations. No patch is currently available, though the vulnerability has a low exploit probability (0.2% EPSS).
Local file inclusion in AncoraThemes Horizon through version 1.1 enables unauthenticated attackers to read arbitrary files on affected servers through improper filename validation in PHP include/require statements. With a CVSS score of 8.1, this vulnerability allows complete compromise of confidentiality, integrity, and availability, though exploitation requires specific conditions. No patch is currently available for this vulnerability.
AncoraThemes Honor version 2.3 and earlier contains a PHP local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. An attacker can exploit this to access sensitive configuration files, source code, or other confidential data stored on the affected web server. No patch is currently available for this vulnerability.
Local file inclusion in AncoraThemes Great Lotus through version 1.3.1 allows unauthenticated attackers to read arbitrary files on affected servers by exploiting improper input validation in file inclusion functions. The vulnerability carries a CVSS score of 8.1 and enables attackers to access sensitive data including configuration files and source code, though no patch is currently available.
PHP Local File Inclusion in AncoraThemes FixTeam through version 1.4 enables unauthenticated remote attackers to read arbitrary files on affected systems through improper handling of file include/require statements. The vulnerability carries a high CVSS score of 8.1 with potential for information disclosure and system compromise, though no patch is currently available.
The Mounty WordPress theme through version 1.1 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to access sensitive configuration files and potentially source code. With a CVSS score of 8.1 and no patch currently available, affected sites running vulnerable versions face significant risk of information disclosure.
Mikado-Themes Marra version 1.2 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames used in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this issue.
Local file inclusion in Mikado-Themes Malgré versions up to 1.0.3 allows unauthenticated attackers to read arbitrary files from the affected server through improper handling of file inclusion parameters. An attacker can exploit this vulnerability over the network without user interaction to access sensitive information, potentially leading to credential disclosure or further system compromise. No patch is currently available.
Mikado-Themes Eona versions 1.3 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this vulnerability.
Local file inclusion in Mikado-Themes Dolcino through version 1.6 allows unauthenticated remote attackers to read arbitrary files on affected systems by manipulating include/require parameters. The vulnerability stems from improper validation of filenames in PHP file inclusion statements, enabling attackers to traverse the filesystem without authentication. No patch is currently available for this vulnerability.
Local and remote file inclusion in Mikado-Themes Justicia through version 1.2 enables attackers to read arbitrary files or execute malicious PHP code on affected systems. The vulnerability stems from improper validation of file paths in include/require statements, allowing unauthenticated remote exploitation. No patch is currently available; affected users should upgrade to a patched version when released or implement web application firewall rules to restrict suspicious file inclusion attempts.
Local file inclusion in Mikado-Themes Overton version 1.3 and earlier allows unauthenticated remote attackers to read arbitrary files on the server through improper handling of PHP include/require statements. The vulnerability requires specific conditions to exploit (high complexity) but could lead to complete compromise of confidentiality and integrity. No patch is currently available for affected installations.
Mikado-Themes Innovio through version 1.7 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames used in PHP include/require statements, enabling attackers to access sensitive data without authentication. No patch is currently available for this high-severity issue affecting all versions through 1.7.
Local file inclusion in Mikado-Themes Holmes version 1.7 and earlier allows unauthenticated remote attackers to read arbitrary files on affected servers through improper input validation in PHP include/require statements. The vulnerability has a CVSS score of 8.1 and enables attackers to potentially access sensitive configuration files and database credentials. No patch is currently available for this vulnerability.
Mikado-Themes Fleur version 2.0 and earlier contains a local file inclusion vulnerability in PHP that permits attackers to read arbitrary files on affected systems through improper input validation in file inclusion functions. The vulnerability requires specific conditions to exploit but grants high-impact access to sensitive data and potential system compromise. No patch is currently available.
Mikado-Themes Fiorello through version 1.0 contains a local file inclusion vulnerability in its PHP code that fails to properly validate filenames used in include/require statements, enabling attackers to read arbitrary files on the affected server. The vulnerability requires specific conditions to exploit but carries high impact, allowing unauthorized access to sensitive data and potential code execution. No security patch is currently available for this vulnerability.
Mikado-Themes Evently plugin version 1.7 and earlier contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the server without authentication. The flaw stems from improper filename validation, allowing unauthenticated remote attackers to disclose sensitive information such as configuration files and source code. No patch is currently available for affected installations.
Mikado-Themes Cortex version 1.5 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this vulnerability.
Mikado-Themes Cocco versions up to 1.5.1 contain a local file inclusion vulnerability in PHP file handling that enables attackers to read arbitrary files on affected systems. An unauthenticated remote attacker can exploit improper input validation in include/require statements to access sensitive data without authentication. No patch is currently available for this high-severity vulnerability (CVSS 8.1).
Mikado-Themes Aviana through version 2.1 contains a local file inclusion vulnerability in PHP that enables attackers to read arbitrary files on the server through improper handling of include/require statements. An unauthenticated remote attacker can exploit this weakness to access sensitive files and potentially execute arbitrary code, though no patch is currently available. The vulnerability carries a CVSS score of 8.1 and affects all versions up to and including Aviana 2.1.
PHP Local File Inclusion in Wolmart through version 1.9.6 enables unauthenticated attackers over the network to read arbitrary files on affected systems due to improper input validation in file inclusion functions. The vulnerability carries high impact potential for confidentiality and integrity, though no patch is currently available. An attacker with network access can leverage this flaw to access sensitive configuration files, source code, or other protected resources without authentication.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Molla molla allows PHP Local File Inclusion.This issue affects Molla: from n/a through <= 1.5.16. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Remons remons allows PHP Local File Inclusion.This issue affects Remons: from n/a through <= 1.3.4. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Berger berger allows PHP Local File Inclusion.This issue affects Berger: from n/a through <= 1.1.1. [CVSS 8.1 HIGH]
Page Builder by SiteOrigin (WordPress plugin) versions up to 2.33.5 is affected by path traversal (CVSS 8.8).
Unauthenticated RCE and information disclosure via Local File Inclusion in Johnson Controls Frick Controls. Fifth critical vulnerability in the product line, enabling arbitrary file reads and code execution.
Open Source Point Of Sale versions up to 3.4.1 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by php remote file inclusion (CVSS 8.1).
Local file inclusion in AncoraThemes Unlimhost through version 1.2.3 allows unauthenticated attackers to read arbitrary files from the server via improper handling of include/require statements. The vulnerability carries high confidentiality and integrity impact, enabling attackers to potentially access sensitive configuration files or execute code through log poisoning techniques. No patch is currently available for this issue.
AncoraThemes Netmix versions 1.0.10 and earlier contain a local file inclusion vulnerability in PHP file handling that allows unauthenticated remote attackers to read sensitive files from the affected system. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access arbitrary files on the server. No patch is currently available for this high-severity issue (CVSS 8.1).
Blabber through version 1.7.0 contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files from the server. An attacker can exploit improper filename validation in include/require statements to access sensitive system files without authentication. No patch is currently available for this high-severity vulnerability affecting PHP environments.
Local file inclusion in AncoraThemes Saveo through version 1.1.2 enables unauthenticated attackers to read arbitrary files on affected servers through improper input validation on file inclusion functions. The vulnerability carries high severity with complete confidentiality and integrity impacts, though no patch is currently available.
AncoraThemes Parkivia through version 1.1.9 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files from the server. The vulnerability exploits improper filename control mechanisms to access sensitive system files without authentication. No patch is currently available, and exploitation requires moderate attack complexity but results in high confidentiality, integrity, and availability impact.
AncoraThemes Impacto Patronus through version 1.2.3 contains a local file inclusion vulnerability in its PHP include/require handling that allows attackers to read arbitrary files on the server. An unauthenticated remote attacker can exploit this vulnerability to access sensitive configuration files, credentials, and other protected data without authentication. No patch is currently available for this vulnerability.
AncoraThemes Zio Alberto through version 1.2.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this issue.
PHP Local File Inclusion in AncoraThemes Fooddy through version 1.3.10 enables attackers to read arbitrary files on the server through improper input validation in file inclusion mechanisms. An unauthenticated remote attacker can exploit this vulnerability over the network to access sensitive files and potentially execute arbitrary code, achieving high impact on confidentiality, integrity, and availability. No patch is currently available for this vulnerability.
AncoraThemes Isida through version 1.4.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The flaw stems from improper validation of include/require statements, enabling attackers to access sensitive files and potentially execute arbitrary code. No patch is currently available, and exploitation requires moderate complexity conditions.
AncoraThemes Gustavo plugin version 1.2.2 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. With no available patch, affected sites running vulnerable versions face significant risk of information disclosure.
Axiomthemes Marveland versions up to 1.3.0 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server through improper handling of include/require statements. An attacker can exploit this weakness over the network without user interaction to disclose sensitive information or potentially execute arbitrary code. No patch is currently available.
Local file inclusion in AncoraThemes Ironfit through version 1.5 enables unauthenticated attackers to read arbitrary files from the server through improper handling of file inclusion parameters. The vulnerability grants high-impact access to sensitive data and potential system compromise without authentication or user interaction required. No patch is currently available for affected installations.
Local file inclusion in Axiomthemes Redy versions up to 1.0.2 allows unauthenticated attackers to read arbitrary files from the affected server by manipulating include/require statements. An attacker can exploit this vulnerability over the network to disclose sensitive information such as configuration files or source code. No patch is currently available for this vulnerability.
AncoraThemes Coworking plugin through version 1.6.1 contains a local file inclusion vulnerability in its PHP file handling that could allow attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit improper input validation on filename parameters to access sensitive system files and potentially execute arbitrary code. No patch is currently available for this vulnerability.
Axiomthemes Jude through version 1.3.0 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability requires specific conditions to be met (high complexity) but results in complete compromise of confidentiality, integrity, and availability. No patch is currently available for this vulnerability.
Improper file inclusion validation in axiomthemes SevenTrees PHP plugin versions 1.0.2 and earlier enables unauthenticated attackers to include and execute arbitrary local files through remote requests. This remote file inclusion vulnerability allows attackers to execute malicious PHP code with full system privileges. Currently no patch is available and the vulnerability has low exploit probability.
Axiom Themes Rhodos through version 1.3.3 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The improper validation of include/require statements enables attackers to access sensitive application data and configuration files without authentication. Currently no patch is available for this vulnerability.
Axiomthemes Photolia through version 1.0.3 contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit this weakness over the network to access sensitive information without user interaction. No patch is currently available, making this a high-severity risk for active installations of this theme.
PHP Local File Inclusion in axiomthemes A-Mart versions up to 1.0.2 enables unauthenticated remote attackers to read arbitrary files from the server through improper handling of include/require statements. An attacker can leverage this vulnerability to disclose sensitive configuration files, source code, or other confidential data accessible to the web server process. No patch is currently available for this vulnerability.
Jetpack CRM versions 6.7.0 and earlier contain a local file inclusion vulnerability in their PHP code that allows attackers to manipulate file inclusion statements and access arbitrary files on the server. An unauthenticated attacker can exploit this through a user interaction to read sensitive files or potentially execute arbitrary code with high impact. No patch is currently available for this vulnerability.
Mikado-Themes FiveStar plugin through version 1.7 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to access sensitive configuration files and other protected resources. No patch is currently available, though exploitation requires specific conditions to be met.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.This issue affects Belletrist: from n/a through <= 1.2. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes PJ | Life & Business Coaching pj allows PHP Local File Inclusion.This issue affects PJ | Life & Business Coaching: from n/a through <= 3.0.0. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes HealthFirst healthfirst allows PHP Local File Inclusion.This issue affects HealthFirst: from n/a through <= 1.0.1. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur struktur allows PHP Local File Inclusion.This issue affects Struktur: from n/a through <= 2.5.1. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX FreightCo freightco allows PHP Local File Inclusion.This issue affects FreightCo: from n/a through <= 1.1.7. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX R&F rf allows PHP Local File Inclusion.This issue affects R&F: from n/a through <= 1.5. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yokoo yokoo allows PHP Local File Inclusion.This issue affects Yokoo: from n/a through <= 1.1.11. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Cobble cobble allows PHP Local File Inclusion.This issue affects Cobble: from n/a through <= 1.7. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Plank plank allows PHP Local File Inclusion.This issue affects Plank: from n/a through <= 1.7. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tint tint allows PHP Local File Inclusion.This issue affects Tint: from n/a through <= 1.7. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Splendour splendour allows PHP Local File Inclusion.This issue affects Splendour: from n/a through <= 1.23. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Gable gable allows PHP Local File Inclusion.This issue affects Gable: from n/a through <= 1.5. [CVSS 8.1 HIGH]
whatwouldjessedo Simple Retail Menus simple-retail-menus is affected by php remote file inclusion (CVSS 7.5).
The CasaMia WordPress theme through version 1.1.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. This high-severity flaw (CVSS 8.1) could expose sensitive configuration files, database credentials, and other confidential data stored on affected WordPress installations. No patch is currently available for this vulnerability.
Improper file inclusion handling in PHP-based The Issue theme versions 1.6.11 and earlier enables attackers to include and execute arbitrary local files, potentially leading to remote code execution. An unauthenticated attacker can exploit this vulnerability over the network to read sensitive files or execute malicious PHP code. No patch is currently available.
The FindAll plugin for PHP through version 1.4 contains a local file inclusion vulnerability that enables attackers to read arbitrary files from the affected system through improper input validation on file inclusion statements. An unauthenticated remote attacker can exploit this vulnerability to access sensitive files and potentially execute arbitrary code with the privileges of the web server process. No patch is currently available for this vulnerability.
Local file inclusion in AncoraThemes Felizia through version 1.3.4 enables unauthenticated attackers to read arbitrary files from the affected server through improper input validation on file inclusion parameters. The vulnerability carries high severity with a CVSS score of 8.1 and impacts confidentiality, integrity, and availability of affected systems. No patch is currently available for this vulnerability.
Elated-Themes Etchy through version 1.0 contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the affected server without authentication. The vulnerability stems from improper validation of filename parameters in include/require statements, allowing directory traversal attacks to access sensitive system files. While a patch is not currently available, the low EPSS score suggests limited real-world exploitation likelihood at this time.
Mikado-Themes Wanderland versions 1.5 and earlier contain a local file inclusion vulnerability in PHP that enables attackers to read arbitrary files from the affected server without authentication. The vulnerability stems from improper validation of file paths in include/require statements, allowing an unauthenticated remote attacker to access sensitive system files. No patch is currently available for this vulnerability.
Local file inclusion in Elated-Themes Askka version 1.0 and earlier allows unauthenticated remote attackers to read arbitrary files from the affected server through improper validation of include/require statements. The vulnerability carries high severity with potential for information disclosure and system compromise. No patch is currently available for this vulnerability.
ThemeREX Hoverex versions up to 1.5.10 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server through improper handling of include/require statements. An attacker with network access can exploit this to disclose sensitive configuration files, source code, or other critical data without authentication. No patch is currently available for this vulnerability.
Don Peppe WordPress theme version 1.3 and earlier contains a local file inclusion vulnerability in its file handling mechanism that could allow an attacker to read arbitrary files from the affected server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements, enabling attackers to traverse the filesystem and access sensitive data. Currently, no patch is available for this vulnerability.
Select-Themes Prowess version 1.8.1 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the affected system. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access sensitive data. No patch is currently available for this high-severity vulnerability (CVSS 8.1).
ThemeREX Alliance versions up to 3.1.1 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server through improper handling of filename parameters in include/require statements. With a CVSS score of 8.1, this vulnerability enables attackers to access sensitive system files and potentially execute code depending on server configuration. No patch is currently available for affected versions.
LaunchandSell Tribe plugin for PHP versions through 1.7.3 contains a local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files on the server. The flaw stems from improper validation of filenames in include/require statements, enabling attackers to access sensitive data without authentication. No patch is currently available for this vulnerability.
Elated-Themes Zentrum version 1.0 and earlier contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the server without authentication. The high CVSS score of 8.1 reflects the potential for complete compromise of confidentiality and integrity, though exploitation requires specific conditions. No patch is currently available for affected installations.
Local file inclusion in AncoraThemes Green Planet through version 1.1.14 allows unauthenticated attackers to read arbitrary files on affected servers by manipulating include/require statements in PHP. This CWE-98 vulnerability carries a CVSS score of 8.1 with high impact on confidentiality and integrity, though no patch is currently available.
AncoraThemes Playa versions up to 1.3.9 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected server. The flaw stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive system files. No patch is currently available for this vulnerability.
Local file inclusion in Elated-Themes Helvig through version 1.0 enables unauthenticated remote attackers to read arbitrary files from affected systems. The vulnerability stems from improper control of filename parameters in PHP include/require statements, allowing attackers to traverse the filesystem and access sensitive data. No patch is currently available.
ElectroServ through version 1.3.2 contains a local file inclusion vulnerability in its PHP-based file handling that enables unauthenticated attackers to read arbitrary files from the server. An attacker can exploit this weakness over the network without user interaction to access sensitive data or potentially execute code through log poisoning techniques. No patch is currently available for this vulnerability.
Local file inclusion in AncoraThemes Crown Art through version 1.2.11 enables unauthenticated remote attackers to read arbitrary files from the affected server through improper handling of include/require statements. This vulnerability carries a high CVSS score of 8.1 and allows potential access to sensitive configuration files and application data. No patch is currently available for this vulnerability.
PHP Local File Inclusion in AncoraThemes CloudMe through version 1.2.2 enables unauthenticated attackers to read arbitrary files on affected systems through improper filename validation in include/require statements. The high CVSS score of 8.1 reflects the potential for confidentiality and integrity compromise, though no patch is currently available.
Woopy through version 1.2 by AncoraThemes contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected system. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the file system and access sensitive data. No patch is currently available for this vulnerability.
AncoraThemes Wabi-Sabi theme version 1.2 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of file inclusion parameters. An attacker can exploit this to access sensitive configuration files, database credentials, and other confidential data stored on the affected WordPress installation. No patch is currently available.
Mikado-Themes Verdure WordPress theme version 1.6 and earlier contains an improper file inclusion vulnerability that enables attackers to read arbitrary files from the affected server without authentication. The flaw in the theme's include/require statement handling allows local and remote file inclusion attacks, potentially exposing sensitive configuration files and other critical data. No patch is currently available for this vulnerability.
The Tooth Fairy WordPress theme through version 1.16 contains a local file inclusion vulnerability in its PHP file handling that allows attackers to read arbitrary files from the server. An unauthenticated remote attacker can exploit this by manipulating file inclusion parameters to access sensitive data or potentially execute code. No patch is currently available for this vulnerability.
Mikado-Themes GoTravel versions 2.1 and earlier contain a local file inclusion vulnerability in PHP file handling that allows unauthenticated attackers to read arbitrary files from the affected server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements, enabling attackers to traverse the filesystem and access sensitive data without authentication.
Elated-Themes Sweet Jane theme through version 1.2 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive information. No patch is currently available for affected installations.
Local file inclusion in AncoraThemes Shaha versions up to 1.1.2 enables attackers to read arbitrary files through improper input validation in PHP include/require statements. An unauthenticated remote attacker can exploit this vulnerability to access sensitive server files and potentially execute arbitrary code, with no patch currently available.
SetSail theme versions 1.8 and earlier for PHP are vulnerable to local file inclusion attacks due to improper input validation on file inclusion statements, potentially allowing attackers to read arbitrary files on the server. The vulnerability carries a high CVSS score of 8.1 and affects confidentiality, integrity, and availability, though no patch is currently available. Remote exploitation is possible under specific conditions, and affected users should implement access controls or upgrade once patches become available.
AncoraThemes Quantum theme versions up to 1.0 contain a local file inclusion vulnerability that enables attackers to read arbitrary files from the server through improper input validation in file inclusion functions. An unauthenticated remote attacker can exploit this to access sensitive configuration files and potentially execute arbitrary code on affected WordPress installations. No patch is currently available, though the vulnerability has a low exploit probability (0.2% EPSS).
Local file inclusion in AncoraThemes Horizon through version 1.1 enables unauthenticated attackers to read arbitrary files on affected servers through improper filename validation in PHP include/require statements. With a CVSS score of 8.1, this vulnerability allows complete compromise of confidentiality, integrity, and availability, though exploitation requires specific conditions. No patch is currently available for this vulnerability.
AncoraThemes Honor version 2.3 and earlier contains a PHP local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. An attacker can exploit this to access sensitive configuration files, source code, or other confidential data stored on the affected web server. No patch is currently available for this vulnerability.
Local file inclusion in AncoraThemes Great Lotus through version 1.3.1 allows unauthenticated attackers to read arbitrary files on affected servers by exploiting improper input validation in file inclusion functions. The vulnerability carries a CVSS score of 8.1 and enables attackers to access sensitive data including configuration files and source code, though no patch is currently available.
PHP Local File Inclusion in AncoraThemes FixTeam through version 1.4 enables unauthenticated remote attackers to read arbitrary files on affected systems through improper handling of file include/require statements. The vulnerability carries a high CVSS score of 8.1 with potential for information disclosure and system compromise, though no patch is currently available.
The Mounty WordPress theme through version 1.1 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to access sensitive configuration files and potentially source code. With a CVSS score of 8.1 and no patch currently available, affected sites running vulnerable versions face significant risk of information disclosure.
Mikado-Themes Marra version 1.2 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames used in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this issue.
Local file inclusion in Mikado-Themes Malgré versions up to 1.0.3 allows unauthenticated attackers to read arbitrary files from the affected server through improper handling of file inclusion parameters. An attacker can exploit this vulnerability over the network without user interaction to access sensitive information, potentially leading to credential disclosure or further system compromise. No patch is currently available.
Mikado-Themes Eona versions 1.3 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this vulnerability.
Local file inclusion in Mikado-Themes Dolcino through version 1.6 allows unauthenticated remote attackers to read arbitrary files on affected systems by manipulating include/require parameters. The vulnerability stems from improper validation of filenames in PHP file inclusion statements, enabling attackers to traverse the filesystem without authentication. No patch is currently available for this vulnerability.
Local and remote file inclusion in Mikado-Themes Justicia through version 1.2 enables attackers to read arbitrary files or execute malicious PHP code on affected systems. The vulnerability stems from improper validation of file paths in include/require statements, allowing unauthenticated remote exploitation. No patch is currently available; affected users should upgrade to a patched version when released or implement web application firewall rules to restrict suspicious file inclusion attempts.
Local file inclusion in Mikado-Themes Overton version 1.3 and earlier allows unauthenticated remote attackers to read arbitrary files on the server through improper handling of PHP include/require statements. The vulnerability requires specific conditions to exploit (high complexity) but could lead to complete compromise of confidentiality and integrity. No patch is currently available for affected installations.
Mikado-Themes Innovio through version 1.7 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames used in PHP include/require statements, enabling attackers to access sensitive data without authentication. No patch is currently available for this high-severity issue affecting all versions through 1.7.
Local file inclusion in Mikado-Themes Holmes version 1.7 and earlier allows unauthenticated remote attackers to read arbitrary files on affected servers through improper input validation in PHP include/require statements. The vulnerability has a CVSS score of 8.1 and enables attackers to potentially access sensitive configuration files and database credentials. No patch is currently available for this vulnerability.
Mikado-Themes Fleur version 2.0 and earlier contains a local file inclusion vulnerability in PHP that permits attackers to read arbitrary files on affected systems through improper input validation in file inclusion functions. The vulnerability requires specific conditions to exploit but grants high-impact access to sensitive data and potential system compromise. No patch is currently available.
Mikado-Themes Fiorello through version 1.0 contains a local file inclusion vulnerability in its PHP code that fails to properly validate filenames used in include/require statements, enabling attackers to read arbitrary files on the affected server. The vulnerability requires specific conditions to exploit but carries high impact, allowing unauthorized access to sensitive data and potential code execution. No security patch is currently available for this vulnerability.
Mikado-Themes Evently plugin version 1.7 and earlier contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the server without authentication. The flaw stems from improper filename validation, allowing unauthenticated remote attackers to disclose sensitive information such as configuration files and source code. No patch is currently available for affected installations.
Mikado-Themes Cortex version 1.5 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this vulnerability.
Mikado-Themes Cocco versions up to 1.5.1 contain a local file inclusion vulnerability in PHP file handling that enables attackers to read arbitrary files on affected systems. An unauthenticated remote attacker can exploit improper input validation in include/require statements to access sensitive data without authentication. No patch is currently available for this high-severity vulnerability (CVSS 8.1).
Mikado-Themes Aviana through version 2.1 contains a local file inclusion vulnerability in PHP that enables attackers to read arbitrary files on the server through improper handling of include/require statements. An unauthenticated remote attacker can exploit this weakness to access sensitive files and potentially execute arbitrary code, though no patch is currently available. The vulnerability carries a CVSS score of 8.1 and affects all versions up to and including Aviana 2.1.
PHP Local File Inclusion in Wolmart through version 1.9.6 enables unauthenticated attackers over the network to read arbitrary files on affected systems due to improper input validation in file inclusion functions. The vulnerability carries high impact potential for confidentiality and integrity, though no patch is currently available. An attacker with network access can leverage this flaw to access sensitive configuration files, source code, or other protected resources without authentication.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Molla molla allows PHP Local File Inclusion.This issue affects Molla: from n/a through <= 1.5.16. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Remons remons allows PHP Local File Inclusion.This issue affects Remons: from n/a through <= 1.3.4. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Berger berger allows PHP Local File Inclusion.This issue affects Berger: from n/a through <= 1.1.1. [CVSS 8.1 HIGH]
Page Builder by SiteOrigin (WordPress plugin) versions up to 2.33.5 is affected by path traversal (CVSS 8.8).
Unauthenticated RCE and information disclosure via Local File Inclusion in Johnson Controls Frick Controls. Fifth critical vulnerability in the product line, enabling arbitrary file reads and code execution.
Open Source Point Of Sale versions up to 3.4.1 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by php remote file inclusion (CVSS 8.1).
Local file inclusion in AncoraThemes Unlimhost through version 1.2.3 allows unauthenticated attackers to read arbitrary files from the server via improper handling of include/require statements. The vulnerability carries high confidentiality and integrity impact, enabling attackers to potentially access sensitive configuration files or execute code through log poisoning techniques. No patch is currently available for this issue.
AncoraThemes Netmix versions 1.0.10 and earlier contain a local file inclusion vulnerability in PHP file handling that allows unauthenticated remote attackers to read sensitive files from the affected system. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access arbitrary files on the server. No patch is currently available for this high-severity issue (CVSS 8.1).
Blabber through version 1.7.0 contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files from the server. An attacker can exploit improper filename validation in include/require statements to access sensitive system files without authentication. No patch is currently available for this high-severity vulnerability affecting PHP environments.
Local file inclusion in AncoraThemes Saveo through version 1.1.2 enables unauthenticated attackers to read arbitrary files on affected servers through improper input validation on file inclusion functions. The vulnerability carries high severity with complete confidentiality and integrity impacts, though no patch is currently available.
AncoraThemes Parkivia through version 1.1.9 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files from the server. The vulnerability exploits improper filename control mechanisms to access sensitive system files without authentication. No patch is currently available, and exploitation requires moderate attack complexity but results in high confidentiality, integrity, and availability impact.
AncoraThemes Impacto Patronus through version 1.2.3 contains a local file inclusion vulnerability in its PHP include/require handling that allows attackers to read arbitrary files on the server. An unauthenticated remote attacker can exploit this vulnerability to access sensitive configuration files, credentials, and other protected data without authentication. No patch is currently available for this vulnerability.
AncoraThemes Zio Alberto through version 1.2.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this issue.
PHP Local File Inclusion in AncoraThemes Fooddy through version 1.3.10 enables attackers to read arbitrary files on the server through improper input validation in file inclusion mechanisms. An unauthenticated remote attacker can exploit this vulnerability over the network to access sensitive files and potentially execute arbitrary code, achieving high impact on confidentiality, integrity, and availability. No patch is currently available for this vulnerability.
AncoraThemes Isida through version 1.4.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The flaw stems from improper validation of include/require statements, enabling attackers to access sensitive files and potentially execute arbitrary code. No patch is currently available, and exploitation requires moderate complexity conditions.
AncoraThemes Gustavo plugin version 1.2.2 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. With no available patch, affected sites running vulnerable versions face significant risk of information disclosure.
Axiomthemes Marveland versions up to 1.3.0 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server through improper handling of include/require statements. An attacker can exploit this weakness over the network without user interaction to disclose sensitive information or potentially execute arbitrary code. No patch is currently available.
Local file inclusion in AncoraThemes Ironfit through version 1.5 enables unauthenticated attackers to read arbitrary files from the server through improper handling of file inclusion parameters. The vulnerability grants high-impact access to sensitive data and potential system compromise without authentication or user interaction required. No patch is currently available for affected installations.
Local file inclusion in Axiomthemes Redy versions up to 1.0.2 allows unauthenticated attackers to read arbitrary files from the affected server by manipulating include/require statements. An attacker can exploit this vulnerability over the network to disclose sensitive information such as configuration files or source code. No patch is currently available for this vulnerability.
AncoraThemes Coworking plugin through version 1.6.1 contains a local file inclusion vulnerability in its PHP file handling that could allow attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit improper input validation on filename parameters to access sensitive system files and potentially execute arbitrary code. No patch is currently available for this vulnerability.
Axiomthemes Jude through version 1.3.0 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability requires specific conditions to be met (high complexity) but results in complete compromise of confidentiality, integrity, and availability. No patch is currently available for this vulnerability.
PHP Remote File Inclusion in Soleng WordPress theme.
Improper file inclusion validation in axiomthemes SevenTrees PHP plugin versions 1.0.2 and earlier enables unauthenticated attackers to include and execute arbitrary local files through remote requests. This remote file inclusion vulnerability allows attackers to execute malicious PHP code with full system privileges. Currently no patch is available and the vulnerability has low exploit probability.
Axiom Themes Rhodos through version 1.3.3 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The improper validation of include/require statements enables attackers to access sensitive application data and configuration files without authentication. Currently no patch is available for this vulnerability.
Axiomthemes Photolia through version 1.0.3 contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit this weakness over the network to access sensitive information without user interaction. No patch is currently available, making this a high-severity risk for active installations of this theme.
PHP Local File Inclusion in axiomthemes A-Mart versions up to 1.0.2 enables unauthenticated remote attackers to read arbitrary files from the server through improper handling of include/require statements. An attacker can leverage this vulnerability to disclose sensitive configuration files, source code, or other confidential data accessible to the web server process. No patch is currently available for this vulnerability.
Jetpack CRM versions 6.7.0 and earlier contain a local file inclusion vulnerability in their PHP code that allows attackers to manipulate file inclusion statements and access arbitrary files on the server. An unauthenticated attacker can exploit this through a user interaction to read sensitive files or potentially execute arbitrary code with high impact. No patch is currently available for this vulnerability.
Mikado-Themes FiveStar plugin through version 1.7 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to access sensitive configuration files and other protected resources. No patch is currently available, though exploitation requires specific conditions to be met.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.This issue affects Belletrist: from n/a through <= 1.2. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes PJ | Life & Business Coaching pj allows PHP Local File Inclusion.This issue affects PJ | Life & Business Coaching: from n/a through <= 3.0.0. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes HealthFirst healthfirst allows PHP Local File Inclusion.This issue affects HealthFirst: from n/a through <= 1.0.1. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur struktur allows PHP Local File Inclusion.This issue affects Struktur: from n/a through <= 2.5.1. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX FreightCo freightco allows PHP Local File Inclusion.This issue affects FreightCo: from n/a through <= 1.1.7. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX R&F rf allows PHP Local File Inclusion.This issue affects R&F: from n/a through <= 1.5. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yokoo yokoo allows PHP Local File Inclusion.This issue affects Yokoo: from n/a through <= 1.1.11. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Cobble cobble allows PHP Local File Inclusion.This issue affects Cobble: from n/a through <= 1.7. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Plank plank allows PHP Local File Inclusion.This issue affects Plank: from n/a through <= 1.7. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tint tint allows PHP Local File Inclusion.This issue affects Tint: from n/a through <= 1.7. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Splendour splendour allows PHP Local File Inclusion.This issue affects Splendour: from n/a through <= 1.23. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Gable gable allows PHP Local File Inclusion.This issue affects Gable: from n/a through <= 1.5. [CVSS 8.1 HIGH]
whatwouldjessedo Simple Retail Menus simple-retail-menus is affected by php remote file inclusion (CVSS 7.5).