Skip to main content

LFI

1172 CVEs technique

Monthly

CVE-2026-22425 HIGH This Week

Elated-Themes Sweet Jane theme through version 1.2 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive information. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22424 HIGH This Week

Local file inclusion in AncoraThemes Shaha versions up to 1.1.2 enables attackers to read arbitrary files through improper input validation in PHP include/require statements. An unauthenticated remote attacker can exploit this vulnerability to access sensitive server files and potentially execute arbitrary code, with no patch currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22423 HIGH This Week

SetSail theme versions 1.8 and earlier for PHP are vulnerable to local file inclusion attacks due to improper input validation on file inclusion statements, potentially allowing attackers to read arbitrary files on the server. The vulnerability carries a high CVSS score of 8.1 and affects confidentiality, integrity, and availability, though no patch is currently available. Remote exploitation is possible under specific conditions, and affected users should implement access controls or upgrade once patches become available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22421 HIGH This Week

AncoraThemes Quantum theme versions up to 1.0 contain a local file inclusion vulnerability that enables attackers to read arbitrary files from the server through improper input validation in file inclusion functions. An unauthenticated remote attacker can exploit this to access sensitive configuration files and potentially execute arbitrary code on affected WordPress installations. No patch is currently available, though the vulnerability has a low exploit probability (0.2% EPSS).

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22420 HIGH This Week

Local file inclusion in AncoraThemes Horizon through version 1.1 enables unauthenticated attackers to read arbitrary files on affected servers through improper filename validation in PHP include/require statements. With a CVSS score of 8.1, this vulnerability allows complete compromise of confidentiality, integrity, and availability, though exploitation requires specific conditions. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22419 HIGH This Week

AncoraThemes Honor version 2.3 and earlier contains a PHP local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. An attacker can exploit this to access sensitive configuration files, source code, or other confidential data stored on the affected web server. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22418 HIGH This Week

Local file inclusion in AncoraThemes Great Lotus through version 1.3.1 allows unauthenticated attackers to read arbitrary files on affected servers by exploiting improper input validation in file inclusion functions. The vulnerability carries a CVSS score of 8.1 and enables attackers to access sensitive data including configuration files and source code, though no patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22416 HIGH This Week

PHP Local File Inclusion in AncoraThemes FixTeam through version 1.4 enables unauthenticated remote attackers to read arbitrary files on affected systems through improper handling of file include/require statements. The vulnerability carries a high CVSS score of 8.1 with potential for information disclosure and system compromise, though no patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22415 HIGH This Week

The Mounty WordPress theme through version 1.1 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to access sensitive configuration files and potentially source code. With a CVSS score of 8.1 and no patch currently available, affected sites running vulnerable versions face significant risk of information disclosure.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22414 HIGH This Week

Mikado-Themes Marra version 1.2 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames used in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this issue.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22413 HIGH This Week

Local file inclusion in Mikado-Themes Malgré versions up to 1.0.3 allows unauthenticated attackers to read arbitrary files from the affected server through improper handling of file inclusion parameters. An attacker can exploit this vulnerability over the network without user interaction to access sensitive information, potentially leading to credential disclosure or further system compromise. No patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22412 HIGH This Week

Mikado-Themes Eona versions 1.3 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22410 HIGH This Week

Local file inclusion in Mikado-Themes Dolcino through version 1.6 allows unauthenticated remote attackers to read arbitrary files on affected systems by manipulating include/require parameters. The vulnerability stems from improper validation of filenames in PHP file inclusion statements, enabling attackers to traverse the filesystem without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22408 HIGH This Week

Local and remote file inclusion in Mikado-Themes Justicia through version 1.2 enables attackers to read arbitrary files or execute malicious PHP code on affected systems. The vulnerability stems from improper validation of file paths in include/require statements, allowing unauthenticated remote exploitation. No patch is currently available; affected users should upgrade to a patched version when released or implement web application firewall rules to restrict suspicious file inclusion attempts.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22405 HIGH This Week

Local file inclusion in Mikado-Themes Overton version 1.3 and earlier allows unauthenticated remote attackers to read arbitrary files on the server through improper handling of PHP include/require statements. The vulnerability requires specific conditions to exploit (high complexity) but could lead to complete compromise of confidentiality and integrity. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22403 HIGH This Week

Mikado-Themes Innovio through version 1.7 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames used in PHP include/require statements, enabling attackers to access sensitive data without authentication. No patch is currently available for this high-severity issue affecting all versions through 1.7.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22399 HIGH This Week

Local file inclusion in Mikado-Themes Holmes version 1.7 and earlier allows unauthenticated remote attackers to read arbitrary files on affected servers through improper input validation in PHP include/require statements. The vulnerability has a CVSS score of 8.1 and enables attackers to potentially access sensitive configuration files and database credentials. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22397 HIGH This Week

Mikado-Themes Fleur version 2.0 and earlier contains a local file inclusion vulnerability in PHP that permits attackers to read arbitrary files on affected systems through improper input validation in file inclusion functions. The vulnerability requires specific conditions to exploit but grants high-impact access to sensitive data and potential system compromise. No patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22395 HIGH This Week

Mikado-Themes Fiorello through version 1.0 contains a local file inclusion vulnerability in its PHP code that fails to properly validate filenames used in include/require statements, enabling attackers to read arbitrary files on the affected server. The vulnerability requires specific conditions to exploit but carries high impact, allowing unauthorized access to sensitive data and potential code execution. No security patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22394 HIGH This Week

Mikado-Themes Evently plugin version 1.7 and earlier contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the server without authentication. The flaw stems from improper filename validation, allowing unauthenticated remote attackers to disclose sensitive information such as configuration files and source code. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22392 HIGH This Week

Mikado-Themes Cortex version 1.5 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22389 HIGH This Week

Mikado-Themes Cocco versions up to 1.5.1 contain a local file inclusion vulnerability in PHP file handling that enables attackers to read arbitrary files on affected systems. An unauthenticated remote attacker can exploit improper input validation in include/require statements to access sensitive data without authentication. No patch is currently available for this high-severity vulnerability (CVSS 8.1).

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22387 HIGH This Week

Mikado-Themes Aviana through version 2.1 contains a local file inclusion vulnerability in PHP that enables attackers to read arbitrary files on the server through improper handling of include/require statements. An unauthenticated remote attacker can exploit this weakness to access sensitive files and potentially execute arbitrary code, though no patch is currently available. The vulnerability carries a CVSS score of 8.1 and affects all versions up to and including Aviana 2.1.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22385 HIGH This Week

PHP Local File Inclusion in Wolmart through version 1.9.6 enables unauthenticated attackers over the network to read arbitrary files on affected systems due to improper input validation in file inclusion functions. The vulnerability carries high impact potential for confidentiality and integrity, though no patch is currently available. An attacker with network access can leverage this flaw to access sensitive configuration files, source code, or other protected resources without authentication.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69339 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Molla molla allows PHP Local File Inclusion.This issue affects Molla: from n/a through <= 1.5.16. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69090 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Remons remons allows PHP Local File Inclusion.This issue affects Remons: from n/a through <= 1.3.4. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-53335 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Berger berger allows PHP Local File Inclusion.This issue affects Berger: from n/a through <= 1.1.1. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-21659 CRITICAL Act Now

Unauthenticated RCE and information disclosure via Local File Inclusion in Johnson Controls Frick Controls. Fifth critical vulnerability in the product line, enabling arbitrary file reads and code execution.

RCE LFI Information Disclosure Frick Controls Quantum Hd Firmware
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-26746 HIGH POC This Week

Open Source Point Of Sale versions up to 3.4.1 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

PHP RCE LFI Open Source Point Of Sale
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-22381 HIGH This Week

Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22380 HIGH This Week

Local file inclusion in AncoraThemes Unlimhost through version 1.2.3 allows unauthenticated attackers to read arbitrary files from the server via improper handling of include/require statements. The vulnerability carries high confidentiality and integrity impact, enabling attackers to potentially access sensitive configuration files or execute code through log poisoning techniques. No patch is currently available for this issue.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22379 HIGH This Week

AncoraThemes Netmix versions 1.0.10 and earlier contain a local file inclusion vulnerability in PHP file handling that allows unauthenticated remote attackers to read sensitive files from the affected system. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access arbitrary files on the server. No patch is currently available for this high-severity issue (CVSS 8.1).

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22378 HIGH This Week

Blabber through version 1.7.0 contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files from the server. An attacker can exploit improper filename validation in include/require statements to access sensitive system files without authentication. No patch is currently available for this high-severity vulnerability affecting PHP environments.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22377 HIGH This Week

Local file inclusion in AncoraThemes Saveo through version 1.1.2 enables unauthenticated attackers to read arbitrary files on affected servers through improper input validation on file inclusion functions. The vulnerability carries high severity with complete confidentiality and integrity impacts, though no patch is currently available.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22376 HIGH This Week

AncoraThemes Parkivia through version 1.1.9 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files from the server. The vulnerability exploits improper filename control mechanisms to access sensitive system files without authentication. No patch is currently available, and exploitation requires moderate attack complexity but results in high confidentiality, integrity, and availability impact.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22375 HIGH This Week

AncoraThemes Impacto Patronus through version 1.2.3 contains a local file inclusion vulnerability in its PHP include/require handling that allows attackers to read arbitrary files on the server. An unauthenticated remote attacker can exploit this vulnerability to access sensitive configuration files, credentials, and other protected data without authentication. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22374 HIGH This Week

AncoraThemes Zio Alberto through version 1.2.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this issue.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22373 HIGH This Week

PHP Local File Inclusion in AncoraThemes Fooddy through version 1.3.10 enables attackers to read arbitrary files on the server through improper input validation in file inclusion mechanisms. An unauthenticated remote attacker can exploit this vulnerability over the network to access sensitive files and potentially execute arbitrary code, achieving high impact on confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22372 HIGH This Week

AncoraThemes Isida through version 1.4.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The flaw stems from improper validation of include/require statements, enabling attackers to access sensitive files and potentially execute arbitrary code. No patch is currently available, and exploitation requires moderate complexity conditions.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22371 HIGH This Week

AncoraThemes Gustavo plugin version 1.2.2 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. With no available patch, affected sites running vulnerable versions face significant risk of information disclosure.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22370 HIGH This Week

Axiomthemes Marveland versions up to 1.3.0 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server through improper handling of include/require statements. An attacker can exploit this weakness over the network without user interaction to disclose sensitive information or potentially execute arbitrary code. No patch is currently available.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22369 HIGH This Week

Local file inclusion in AncoraThemes Ironfit through version 1.5 enables unauthenticated attackers to read arbitrary files from the server through improper handling of file inclusion parameters. The vulnerability grants high-impact access to sensitive data and potential system compromise without authentication or user interaction required. No patch is currently available for affected installations.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22368 HIGH This Week

Local file inclusion in Axiomthemes Redy versions up to 1.0.2 allows unauthenticated attackers to read arbitrary files from the affected server by manipulating include/require statements. An attacker can exploit this vulnerability over the network to disclose sensitive information such as configuration files or source code. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22367 HIGH This Week

AncoraThemes Coworking plugin through version 1.6.1 contains a local file inclusion vulnerability in its PHP file handling that could allow attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit improper input validation on filename parameters to access sensitive system files and potentially execute arbitrary code. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22366 HIGH This Week

Axiomthemes Jude through version 1.3.0 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability requires specific conditions to be met (high complexity) but results in complete compromise of confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22365 HIGH This Week

PHP Remote File Inclusion in Soleng WordPress theme.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22364 HIGH This Week

Improper file inclusion validation in axiomthemes SevenTrees PHP plugin versions 1.0.2 and earlier enables unauthenticated attackers to include and execute arbitrary local files through remote requests. This remote file inclusion vulnerability allows attackers to execute malicious PHP code with full system privileges. Currently no patch is available and the vulnerability has low exploit probability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22363 HIGH This Week

Axiom Themes Rhodos through version 1.3.3 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The improper validation of include/require statements enables attackers to access sensitive application data and configuration files without authentication. Currently no patch is available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22362 HIGH This Week

Axiomthemes Photolia through version 1.0.3 contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit this weakness over the network to access sensitive information without user interaction. No patch is currently available, making this a high-severity risk for active installations of this theme.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22361 HIGH This Week

PHP Local File Inclusion in axiomthemes A-Mart versions up to 1.0.2 enables unauthenticated remote attackers to read arbitrary files from the server through improper handling of include/require statements. An attacker can leverage this vulnerability to disclose sensitive configuration files, source code, or other confidential data accessible to the web server process. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22356 HIGH This Week

Jetpack CRM versions 6.7.0 and earlier contain a local file inclusion vulnerability in their PHP code that allows attackers to manipulate file inclusion statements and access arbitrary files on the server. An unauthenticated attacker can exploit this through a user interaction to read sensitive files or potentially execute arbitrary code with high impact. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22344 HIGH This Week

Mikado-Themes FiveStar plugin through version 1.7 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to access sensitive configuration files and other protected resources. No patch is currently available, though exploitation requires specific conditions to be met.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69410 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.This issue affects Belletrist: from n/a through <= 1.2. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69409 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes PJ | Life & Business Coaching pj allows PHP Local File Inclusion.This issue affects PJ | Life & Business Coaching: from n/a through <= 3.0.0. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69408 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes HealthFirst healthfirst allows PHP Local File Inclusion.This issue affects HealthFirst: from n/a through <= 1.0.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69407 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur struktur allows PHP Local File Inclusion.This issue affects Struktur: from n/a through <= 2.5.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69406 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX FreightCo freightco allows PHP Local File Inclusion.This issue affects FreightCo: from n/a through <= 1.1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69402 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX R&F rf allows PHP Local File Inclusion.This issue affects R&F: from n/a through <= 1.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69400 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yokoo yokoo allows PHP Local File Inclusion.This issue affects Yokoo: from n/a through <= 1.1.11. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69399 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Cobble cobble allows PHP Local File Inclusion.This issue affects Cobble: from n/a through <= 1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69398 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Plank plank allows PHP Local File Inclusion.This issue affects Plank: from n/a through <= 1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69397 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tint tint allows PHP Local File Inclusion.This issue affects Tint: from n/a through <= 1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69396 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Splendour splendour allows PHP Local File Inclusion.This issue affects Splendour: from n/a through <= 1.23. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69395 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Gable gable allows PHP Local File Inclusion.This issue affects Gable: from n/a through <= 1.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69387 HIGH This Week

whatwouldjessedo Simple Retail Menus simple-retail-menus is affected by php remote file inclusion (CVSS 7.5).

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69383 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows PHP Local File Inclusion.This issue affects WP shop: from n/a through <= 2.6.1. [CVSS 7.5 HIGH]

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69375 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Portfolio Builder swp-portfolio allows PHP Local File Inclusion.This issue affects Portfolio Builder: from n/a through <= 1.2.5. [CVSS 8.1 HIGH]

WordPress PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69374 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Eleblog - Elementor Blog And Magazine Addons ele-blog allows PHP Local File Inclusion.This issue affects Eleblog - Elementor Blog And Magazine Addons: from n/a through <= 2.0.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69373 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9.7. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69322 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes PeakShops peakshops allows PHP Local File Inclusion.This issue affects PeakShops: from n/a through < 1.5.9. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-68841 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themepul TopperPack - Complete Elementor Addons, Theme &amp; CPT Builder topper-pack allows PHP Local File Inclusion.This issue affects TopperPack - Complete Elementor Addons, Theme &amp; CPT Builder: from n/a through <= 1.2.1. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68552 HIGH This Week

WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by php remote file inclusion (CVSS 6.3).

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68545 HIGH This Week

PHP Remote File Inclusion in Nika WordPress theme by thembay.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-68543 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-68539 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-68536 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion.This issue affects Zota: from n/a through <= 1.3.14. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67992 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean PatioTime patiotime allows PHP Local File Inclusion.This issue affects PatioTime: from n/a through < 2.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67988 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through < 1.9.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67982 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67981 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67980 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-60087 HIGH This Week

Nenad Obradovic Extensive VC Addons for WPBakery page builder extensive-vc-addon is affected by php remote file inclusion (CVSS 8.1).

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27343 HIGH This Week

PHP Local File Inclusion in Airtifact versions up to 1.2.91 permits authenticated attackers to read arbitrary files on the server through improper validation of include/require statements. With low privileges required and no user interaction necessary, an attacker can leverage this vulnerability to access sensitive configuration files or application source code. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27052 HIGH This Week

villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer is affected by php remote file inclusion (CVSS 7.5).

WordPress PHP LFI Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25326 HIGH This Week

cmsmasters CMSMasters Content Composer cmsmasters-content-composer is affected by php remote file inclusion (CVSS 7.5).

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-0926 CRITICAL POC Act Now

Local File Inclusion in Prodigy Commerce WordPress plugin <= 3.2.9.

WordPress PHP LFI Information Disclosure RCE
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-25548 CRITICAL POC PATCH Act Now

Remote Code Execution in InvoicePlane self-hosted invoicing application through code injection. PoC and patch available.

PHP RCE LFI Invoiceplane
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%
CVE-2025-12062 HIGH This Week

The WP Maps - Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. [CVSS 8.8 HIGH]

WordPress PHP LFI
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-1988 HIGH This Week

Arbitrary PHP code execution in the Flexi Product Slider and Grid for WooCommerce WordPress plugin through version 1.0.5 allows authenticated contributors to exploit unsanitized file path parameters in the flexipsg_carousel shortcode to include and execute arbitrary files on the server. The vulnerability requires an attacker with Contributor-level access or above to create posts containing malicious shortcodes, but carries high risk due to lack of input validation on the theme parameter enabling local file inclusion attacks. No patch is currently available for this vulnerability.

WordPress PHP LFI Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-15491 MEDIUM This Month

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks [CVSS 5.5 MEDIUM]

WordPress LFI PHP
NVD WPScan
CVSS 3.1
5.5
EPSS
0.0%
EPSS 0% CVSS 8.1
HIGH This Week

Elated-Themes Sweet Jane theme through version 1.2 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive information. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Shaha versions up to 1.1.2 enables attackers to read arbitrary files through improper input validation in PHP include/require statements. An unauthenticated remote attacker can exploit this vulnerability to access sensitive server files and potentially execute arbitrary code, with no patch currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

SetSail theme versions 1.8 and earlier for PHP are vulnerable to local file inclusion attacks due to improper input validation on file inclusion statements, potentially allowing attackers to read arbitrary files on the server. The vulnerability carries a high CVSS score of 8.1 and affects confidentiality, integrity, and availability, though no patch is currently available. Remote exploitation is possible under specific conditions, and affected users should implement access controls or upgrade once patches become available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Quantum theme versions up to 1.0 contain a local file inclusion vulnerability that enables attackers to read arbitrary files from the server through improper input validation in file inclusion functions. An unauthenticated remote attacker can exploit this to access sensitive configuration files and potentially execute arbitrary code on affected WordPress installations. No patch is currently available, though the vulnerability has a low exploit probability (0.2% EPSS).

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Horizon through version 1.1 enables unauthenticated attackers to read arbitrary files on affected servers through improper filename validation in PHP include/require statements. With a CVSS score of 8.1, this vulnerability allows complete compromise of confidentiality, integrity, and availability, though exploitation requires specific conditions. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Honor version 2.3 and earlier contains a PHP local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. An attacker can exploit this to access sensitive configuration files, source code, or other confidential data stored on the affected web server. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Great Lotus through version 1.3.1 allows unauthenticated attackers to read arbitrary files on affected servers by exploiting improper input validation in file inclusion functions. The vulnerability carries a CVSS score of 8.1 and enables attackers to access sensitive data including configuration files and source code, though no patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in AncoraThemes FixTeam through version 1.4 enables unauthenticated remote attackers to read arbitrary files on affected systems through improper handling of file include/require statements. The vulnerability carries a high CVSS score of 8.1 with potential for information disclosure and system compromise, though no patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The Mounty WordPress theme through version 1.1 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to access sensitive configuration files and potentially source code. With a CVSS score of 8.1 and no patch currently available, affected sites running vulnerable versions face significant risk of information disclosure.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Marra version 1.2 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames used in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this issue.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Mikado-Themes Malgré versions up to 1.0.3 allows unauthenticated attackers to read arbitrary files from the affected server through improper handling of file inclusion parameters. An attacker can exploit this vulnerability over the network without user interaction to access sensitive information, potentially leading to credential disclosure or further system compromise. No patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Eona versions 1.3 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Mikado-Themes Dolcino through version 1.6 allows unauthenticated remote attackers to read arbitrary files on affected systems by manipulating include/require parameters. The vulnerability stems from improper validation of filenames in PHP file inclusion statements, enabling attackers to traverse the filesystem without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local and remote file inclusion in Mikado-Themes Justicia through version 1.2 enables attackers to read arbitrary files or execute malicious PHP code on affected systems. The vulnerability stems from improper validation of file paths in include/require statements, allowing unauthenticated remote exploitation. No patch is currently available; affected users should upgrade to a patched version when released or implement web application firewall rules to restrict suspicious file inclusion attempts.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Mikado-Themes Overton version 1.3 and earlier allows unauthenticated remote attackers to read arbitrary files on the server through improper handling of PHP include/require statements. The vulnerability requires specific conditions to exploit (high complexity) but could lead to complete compromise of confidentiality and integrity. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Innovio through version 1.7 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames used in PHP include/require statements, enabling attackers to access sensitive data without authentication. No patch is currently available for this high-severity issue affecting all versions through 1.7.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Mikado-Themes Holmes version 1.7 and earlier allows unauthenticated remote attackers to read arbitrary files on affected servers through improper input validation in PHP include/require statements. The vulnerability has a CVSS score of 8.1 and enables attackers to potentially access sensitive configuration files and database credentials. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Fleur version 2.0 and earlier contains a local file inclusion vulnerability in PHP that permits attackers to read arbitrary files on affected systems through improper input validation in file inclusion functions. The vulnerability requires specific conditions to exploit but grants high-impact access to sensitive data and potential system compromise. No patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Fiorello through version 1.0 contains a local file inclusion vulnerability in its PHP code that fails to properly validate filenames used in include/require statements, enabling attackers to read arbitrary files on the affected server. The vulnerability requires specific conditions to exploit but carries high impact, allowing unauthorized access to sensitive data and potential code execution. No security patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Evently plugin version 1.7 and earlier contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the server without authentication. The flaw stems from improper filename validation, allowing unauthenticated remote attackers to disclose sensitive information such as configuration files and source code. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Cortex version 1.5 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Cocco versions up to 1.5.1 contain a local file inclusion vulnerability in PHP file handling that enables attackers to read arbitrary files on affected systems. An unauthenticated remote attacker can exploit improper input validation in include/require statements to access sensitive data without authentication. No patch is currently available for this high-severity vulnerability (CVSS 8.1).

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Aviana through version 2.1 contains a local file inclusion vulnerability in PHP that enables attackers to read arbitrary files on the server through improper handling of include/require statements. An unauthenticated remote attacker can exploit this weakness to access sensitive files and potentially execute arbitrary code, though no patch is currently available. The vulnerability carries a CVSS score of 8.1 and affects all versions up to and including Aviana 2.1.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in Wolmart through version 1.9.6 enables unauthenticated attackers over the network to read arbitrary files on affected systems due to improper input validation in file inclusion functions. The vulnerability carries high impact potential for confidentiality and integrity, though no patch is currently available. An attacker with network access can leverage this flaw to access sensitive configuration files, source code, or other protected resources without authentication.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Molla molla allows PHP Local File Inclusion.This issue affects Molla: from n/a through <= 1.5.16. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Remons remons allows PHP Local File Inclusion.This issue affects Remons: from n/a through <= 1.3.4. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Berger berger allows PHP Local File Inclusion.This issue affects Berger: from n/a through <= 1.1.1. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated RCE and information disclosure via Local File Inclusion in Johnson Controls Frick Controls. Fifth critical vulnerability in the product line, enabling arbitrary file reads and code execution.

RCE LFI Information Disclosure +1
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

Open Source Point Of Sale versions up to 3.4.1 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

PHP RCE LFI +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Unlimhost through version 1.2.3 allows unauthenticated attackers to read arbitrary files from the server via improper handling of include/require statements. The vulnerability carries high confidentiality and integrity impact, enabling attackers to potentially access sensitive configuration files or execute code through log poisoning techniques. No patch is currently available for this issue.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Netmix versions 1.0.10 and earlier contain a local file inclusion vulnerability in PHP file handling that allows unauthenticated remote attackers to read sensitive files from the affected system. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access arbitrary files on the server. No patch is currently available for this high-severity issue (CVSS 8.1).

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Blabber through version 1.7.0 contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files from the server. An attacker can exploit improper filename validation in include/require statements to access sensitive system files without authentication. No patch is currently available for this high-severity vulnerability affecting PHP environments.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Saveo through version 1.1.2 enables unauthenticated attackers to read arbitrary files on affected servers through improper input validation on file inclusion functions. The vulnerability carries high severity with complete confidentiality and integrity impacts, though no patch is currently available.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Parkivia through version 1.1.9 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files from the server. The vulnerability exploits improper filename control mechanisms to access sensitive system files without authentication. No patch is currently available, and exploitation requires moderate attack complexity but results in high confidentiality, integrity, and availability impact.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Impacto Patronus through version 1.2.3 contains a local file inclusion vulnerability in its PHP include/require handling that allows attackers to read arbitrary files on the server. An unauthenticated remote attacker can exploit this vulnerability to access sensitive configuration files, credentials, and other protected data without authentication. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Zio Alberto through version 1.2.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this issue.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in AncoraThemes Fooddy through version 1.3.10 enables attackers to read arbitrary files on the server through improper input validation in file inclusion mechanisms. An unauthenticated remote attacker can exploit this vulnerability over the network to access sensitive files and potentially execute arbitrary code, achieving high impact on confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Isida through version 1.4.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The flaw stems from improper validation of include/require statements, enabling attackers to access sensitive files and potentially execute arbitrary code. No patch is currently available, and exploitation requires moderate complexity conditions.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Gustavo plugin version 1.2.2 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. With no available patch, affected sites running vulnerable versions face significant risk of information disclosure.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Axiomthemes Marveland versions up to 1.3.0 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server through improper handling of include/require statements. An attacker can exploit this weakness over the network without user interaction to disclose sensitive information or potentially execute arbitrary code. No patch is currently available.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Ironfit through version 1.5 enables unauthenticated attackers to read arbitrary files from the server through improper handling of file inclusion parameters. The vulnerability grants high-impact access to sensitive data and potential system compromise without authentication or user interaction required. No patch is currently available for affected installations.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Axiomthemes Redy versions up to 1.0.2 allows unauthenticated attackers to read arbitrary files from the affected server by manipulating include/require statements. An attacker can exploit this vulnerability over the network to disclose sensitive information such as configuration files or source code. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Coworking plugin through version 1.6.1 contains a local file inclusion vulnerability in its PHP file handling that could allow attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit improper input validation on filename parameters to access sensitive system files and potentially execute arbitrary code. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Axiomthemes Jude through version 1.3.0 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability requires specific conditions to be met (high complexity) but results in complete compromise of confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Remote File Inclusion in Soleng WordPress theme.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper file inclusion validation in axiomthemes SevenTrees PHP plugin versions 1.0.2 and earlier enables unauthenticated attackers to include and execute arbitrary local files through remote requests. This remote file inclusion vulnerability allows attackers to execute malicious PHP code with full system privileges. Currently no patch is available and the vulnerability has low exploit probability.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Axiom Themes Rhodos through version 1.3.3 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The improper validation of include/require statements enables attackers to access sensitive application data and configuration files without authentication. Currently no patch is available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Axiomthemes Photolia through version 1.0.3 contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit this weakness over the network to access sensitive information without user interaction. No patch is currently available, making this a high-severity risk for active installations of this theme.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in axiomthemes A-Mart versions up to 1.0.2 enables unauthenticated remote attackers to read arbitrary files from the server through improper handling of include/require statements. An attacker can leverage this vulnerability to disclose sensitive configuration files, source code, or other confidential data accessible to the web server process. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Jetpack CRM versions 6.7.0 and earlier contain a local file inclusion vulnerability in their PHP code that allows attackers to manipulate file inclusion statements and access arbitrary files on the server. An unauthenticated attacker can exploit this through a user interaction to read sensitive files or potentially execute arbitrary code with high impact. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes FiveStar plugin through version 1.7 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to access sensitive configuration files and other protected resources. No patch is currently available, though exploitation requires specific conditions to be met.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.This issue affects Belletrist: from n/a through <= 1.2. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes PJ | Life & Business Coaching pj allows PHP Local File Inclusion.This issue affects PJ | Life & Business Coaching: from n/a through <= 3.0.0. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes HealthFirst healthfirst allows PHP Local File Inclusion.This issue affects HealthFirst: from n/a through <= 1.0.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur struktur allows PHP Local File Inclusion.This issue affects Struktur: from n/a through <= 2.5.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX FreightCo freightco allows PHP Local File Inclusion.This issue affects FreightCo: from n/a through <= 1.1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX R&F rf allows PHP Local File Inclusion.This issue affects R&F: from n/a through <= 1.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yokoo yokoo allows PHP Local File Inclusion.This issue affects Yokoo: from n/a through <= 1.1.11. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Cobble cobble allows PHP Local File Inclusion.This issue affects Cobble: from n/a through <= 1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Plank plank allows PHP Local File Inclusion.This issue affects Plank: from n/a through <= 1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tint tint allows PHP Local File Inclusion.This issue affects Tint: from n/a through <= 1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Splendour splendour allows PHP Local File Inclusion.This issue affects Splendour: from n/a through <= 1.23. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Gable gable allows PHP Local File Inclusion.This issue affects Gable: from n/a through <= 1.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

whatwouldjessedo Simple Retail Menus simple-retail-menus is affected by php remote file inclusion (CVSS 7.5).

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows PHP Local File Inclusion.This issue affects WP shop: from n/a through <= 2.6.1. [CVSS 7.5 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Portfolio Builder swp-portfolio allows PHP Local File Inclusion.This issue affects Portfolio Builder: from n/a through <= 1.2.5. [CVSS 8.1 HIGH]

WordPress PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Eleblog - Elementor Blog And Magazine Addons ele-blog allows PHP Local File Inclusion.This issue affects Eleblog - Elementor Blog And Magazine Addons: from n/a through <= 2.0.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9.7. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes PeakShops peakshops allows PHP Local File Inclusion.This issue affects PeakShops: from n/a through < 1.5.9. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themepul TopperPack - Complete Elementor Addons, Theme &amp; CPT Builder topper-pack allows PHP Local File Inclusion.This issue affects TopperPack - Complete Elementor Addons, Theme &amp; CPT Builder: from n/a through <= 1.2.1. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by php remote file inclusion (CVSS 6.3).

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Remote File Inclusion in Nika WordPress theme by thembay.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion.This issue affects Zota: from n/a through <= 1.3.14. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean PatioTime patiotime allows PHP Local File Inclusion.This issue affects PatioTime: from n/a through < 2.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through < 1.9.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Nenad Obradovic Extensive VC Addons for WPBakery page builder extensive-vc-addon is affected by php remote file inclusion (CVSS 8.1).

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

PHP Local File Inclusion in Airtifact versions up to 1.2.91 permits authenticated attackers to read arbitrary files on the server through improper validation of include/require statements. With low privileges required and no user interaction necessary, an attacker can leverage this vulnerability to access sensitive configuration files or application source code. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer is affected by php remote file inclusion (CVSS 7.5).

WordPress PHP LFI +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

cmsmasters CMSMasters Content Composer cmsmasters-content-composer is affected by php remote file inclusion (CVSS 7.5).

PHP LFI
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Local File Inclusion in Prodigy Commerce WordPress plugin <= 3.2.9.

WordPress PHP LFI +2
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Remote Code Execution in InvoicePlane self-hosted invoicing application through code injection. PoC and patch available.

PHP RCE LFI +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

The WP Maps - Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. [CVSS 8.8 HIGH]

WordPress PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary PHP code execution in the Flexi Product Slider and Grid for WooCommerce WordPress plugin through version 1.0.5 allows authenticated contributors to exploit unsanitized file path parameters in the flexipsg_carousel shortcode to include and execute arbitrary files on the server. The vulnerability requires an attacker with Contributor-level access or above to create posts containing malicious shortcodes, but carries high risk due to lack of input validation on the theme parameter enabling local file inclusion attacks. No patch is currently available for this vulnerability.

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks [CVSS 5.5 MEDIUM]

WordPress LFI PHP
NVD WPScan
Prev Page 5 of 14 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy