Local File Inclusion

Remote code execution in Responsive FileManager 9.14.0 enables authenticated attackers to run arbitrary code on the underlying server by abusing the force_download.php component. The CWE-98 classification points to improper control of PHP file inclusion, and while no public exploit is identified at time of analysis, the high CVSS of 8.0 reflects full confidentiality, integrity, and availability impact once a target user interacts with the attacker-supplied input.

Local File Inclusion in the SeedProd Pro WordPress plugin (all versions before 6.19.5) lets an authenticated, low-privileged user coerce a PHP include/require statement into loading attacker-influenced local files, leading to disclosure of sensitive server-side files and potential code execution if a controllable file (e.g. an uploaded payload or log) can be included. The flaw, reported by Patchstack and classified CWE-98, carries a CVSS 3.1 base score of 7.5 with high attack complexity. There is no public exploit identified at time of analysis, and CISA SSVC rates exploitation as 'none', indicating this is currently a patch-and-move-on item rather than an emergency.

Local File Inclusion in the Query Shortcode plugin for WordPress (all versions through 0.2.1) lets authenticated users with contributor-level access or higher coerce the shortcode handler into including and executing arbitrary .php files already present on the server. Because included files are run by the PHP interpreter, this can leak sensitive data, bypass access controls, and escalate to full remote code execution where an attacker can also place a .php file (e.g. via an upload feature). EPSS rates near-term exploitation probability very low (0.07%, 21st percentile) and there is no public exploit identified at time of analysis.

A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to execute arbitrary system commands and read local files without user interaction by exploiting an embedded Internet Explorer 11 browser.

Authenticated remote code execution in Concrete CMS 9.5.0 and earlier allows an administrator with composer form editing privileges to chain a path traversal flaw in the ptComposerFormLayoutSetControlCustomTemplate field with the platform's permissive file uploader to execute arbitrary PHP on the server. The vendor scored this 9.4 (CVSS v4.0) reflecting high confidentiality, integrity, and availability impact across both the vulnerable component and downstream subsequent systems. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Local File Inclusion in the Advanced Database Cleaner - Premium WordPress plugin (versions up to and including 4.1.0) allows Subscriber-level authenticated users to include and execute arbitrary .php files via the 'template' parameter. The flaw, reported by Wordfence, carries a CVSS score of 8.8 and can be escalated to full remote code execution when combined with a file upload primitive, while no public exploit identified at time of analysis.

Local File Inclusion vulnerability in RTMKit Addons for Elementor plugin versions up to 2.0.2 allows authenticated attackers with Author-level privileges to include and execute arbitrary PHP files via the 'path' parameter in the 'get_content' AJAX action, enabling remote code execution. The vulnerability requires low-privilege WordPress account access (Author role or higher) and has a CVSS score of 8.8, indicating high impact across confidentiality, integrity, and availability. EPSS data not available, but exploitation requires specific WordPress role assignment, limiting attack surface to sites where untrusted users have Author-level access. No active exploitation confirmed by CISA KEV at time of analysis.

Local file inclusion in Gibbon school management system versions prior to v30.0.01 enables remote code execution when authenticated users with Teacher or higher privileges manipulate the report archive directory setting to force interpretation of a malicious ZIP file as PHP code. The vulnerability compromises the underlying web server. Project Black Security Services disclosed this flaw with a detailed proof-of-concept, and the vendor released patch v30.0.01 marking it as low severity since it requires administrative access. EPSS data not available, but the high CVSS 8.9 score reflects the critical post-compromise impact despite the high privilege requirement.

Authenticated customers can achieve remote code execution in Froxlor server administration software versions prior to 2.3.6 through path traversal in the API's language parameter. By injecting malicious path traversal sequences into the `def_language` field via the `Customers.update` or `Admins.update` API endpoints, authenticated users can force the application to execute arbitrary PHP code as the web server user on subsequent requests. This vulnerability carries a CVSS score of 9.9 with scope change, indicating potential for full system compromise beyond the vulnerable component. Vendor-released patch version 2.3.6 addresses the vulnerability by implementing proper validation of language parameters against available language files.

Local file inclusion in Livemesh Addons for Elementor (WordPress plugin) ≤9.0 allows authenticated attackers with Contributor-level privileges to include and execute arbitrary PHP files via recursive directory traversal bypass in widget template parameters. The vulnerability requires Elementor plugin installation and either admin interaction (social engineering) or direct Contributor access. CVSS 8.8 reflects high impact (RCE potential) but limited by authentication requirement. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists (Wordfence disclosure with technical details and code references).

Local File Inclusion in BoidCMS versions prior to 2.1.3 enables authenticated administrators to execute arbitrary PHP code via path traversal in the tpl parameter combined with file upload. The vulnerability chains unsanitized require_once() inclusion with media upload functionality, allowing attackers to upload malicious files and force their execution with web server privileges. Vendor-released patch available in version 2.1.3. CVSS 7.2 reflects high-privilege requirement (administrator access), but exploitation complexity is low once authenticated. No CISA KEV listing or public exploit code identified at time of analysis.

A Local File Inclusion (LFI) vulnerability in the NFSen module (nfsen.inc.php) of LibreNMS 22.11.0-23-gd091788f2 allows authenticated attackers to include arbitrary PHP files from the server filesystem via path traversal sequences in the nfsen parameter.

Local file inclusion in CactusThemes VideoPro WordPress theme through version 2.3.8.1 allows unauthenticated remote attackers to read arbitrary files on the server via improper filename control in PHP include/require statements. Exploitation requires high attack complexity but no user interaction. EPSS score indicates low observed exploitation activity; no public exploit identified at time of analysis.

Local file inclusion in Case Themes Case Theme User WordPress plugin (versions prior to 1.0.4) enables unauthenticated remote attackers to include arbitrary local files via PHP require/include statements. Successful exploitation requires high attack complexity and user interaction, but grants full compromise of confidentiality, integrity, and availability. Attackers may read sensitive configuration files, execute malicious code if file upload exists, or escalate to remote code execution through log poisoning techniques. No public exploit identified at time of analysis.

Local file inclusion in UnTheme OrganicFood WordPress theme versions up to 3.6.4 enables authenticated attackers with low privileges to read arbitrary files on the server and potentially achieve remote code execution. Exploitation requires network access and high attack complexity (CVSS AC:H), allowing disclosure of sensitive configuration data, credentials, and system files. Authenticated access (PR:L) is required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.05%).

Local File Inclusion in ApusTheme Homeo WordPress theme versions ≤1.2.59 allows authenticated attackers with low privileges to read arbitrary files on the server via improper file inclusion controls. The vulnerability stems from insufficient validation of file paths in PHP include/require statements, enabling access to sensitive configuration files, credentials, or other restricted content. EPSS score of 0.05% (17th percentile) indicates low predicted exploitation probability, and no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Local File Inclusion in ApusTheme Freeio WordPress theme (versions ≤1.3.21) allows authenticated attackers with low privileges to read arbitrary files on the server via PHP file inclusion flaws. Attack complexity is high (AC:H), requiring specific conditions beyond basic authentication. EPSS probability is low (0.05%, 17th percentile) with no confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.

Local File Inclusion in Emphires WordPress theme versions ≤3.9 allows authenticated attackers with low privileges to read arbitrary files from the server file system via improper PHP file inclusion controls. Attack complexity is rated high (AC:H), suggesting specific conditions must be met. EPSS exploitation probability is low (0.05%, 17th percentile) with no public exploit identified at time of analysis. Authenticated access requirement and high complexity reduce immediate risk despite CVSS 7.5 rating.

Local file inclusion vulnerability in kutethemes Biolife WordPress theme versions up to 3.2.3 enables authenticated attackers with low privileges to include and execute arbitrary PHP files from the server filesystem via improper filename control in include/require statements. Exploitation requires network access and high complexity conditions (CVSS:3.1 AV:N/AC:H/PR:L), potentially leading to information disclosure, code execution, and full system compromise. No public exploit identified at time of analysis. EPSS score indicates low observed exploitation activity (0.05%).

Local file inclusion in kutethemes Boutique WordPress theme versions ≤2.3.3 allows authenticated attackers with low privileges to include arbitrary PHP files, leading to high-severity impacts including information disclosure, code execution, and system compromise. Exploitation requires network access with high attack complexity. No public exploit identified at time of analysis. Authenticated attack vector (PR:L) limits exposure to users with existing credentials.

Local File Inclusion vulnerability in KuteShop WordPress theme versions ≤4.2.9 enables authenticated attackers with low privileges to include arbitrary PHP files through improper filename control in require/include statements. Exploitation requires high attack complexity and yields complete confidentiality, integrity, and availability compromise within the application context. No public exploit identified at time of analysis. EPSS 0.05% indicates low observed exploitation activity.

Local file inclusion in themeStek LabtechCO WordPress theme versions through 8.3 allows authenticated attackers with low privileges to read arbitrary files from the web server. Despite the CWE classification mentioning remote file inclusion, available data (tags, Patchstack categorization) confirms this is a local file inclusion vulnerability. EPSS score of 0.05% (17th percentile) indicates low observed exploitation probability in the wild, with no confirmed active exploitation (not in CISA KEV)

Local File Inclusion in Mikado Core WordPress plugin (≤1.6) allows authenticated remote attackers to read arbitrary files on the server via improper filename control in PHP include/require statements. Despite a 7.5 CVSS score, real-world risk is limited by low-privilege authentication requirement (PR:L) and high attack complexity (AC:H). EPSS exploitation probability is minimal (0.05%, 17th percentile), with no public exploit identified at time of analysis. Reported by Patchstack, this CWE-98 vulnerability enables information disclosure and potential code execution if attackers chain it with file upload or log poisoning techniques.

Local file inclusion in Emlog admin/plugin.php allows authenticated attackers to execute arbitrary PHP code via unsanitized $plugin parameter in GET requests, provided CSRF token validation can be bypassed. Emlog versions 2.6.2 and prior are affected. An authenticated attacker with high privileges can include arbitrary files from the server filesystem, achieving remote code execution without requiring user interaction. No public exploit code or active exploitation has been confirmed at time of analysis.

Dolibarr Core versions up to 22.0.4 allow authenticated users with minimal privileges to read arbitrary non-PHP files from the server via a Local File Inclusion vulnerability in /core/ajax/selectobject.php. The flaw stems from dynamic file inclusion occurring before authorization checks and a fail-open logic in the access control function, enabling exfiltration of sensitive configuration files, environment variables, and logs. Publicly available exploit code exists, and a vendor patch has been released.

A Local File Inclusion (LFI) vulnerability exists in the nK Visual Portfolio, Photo Gallery & Post Grid WordPress plugin through version 3.5.1, allowing attackers to include and execute arbitrary local files on the server via improper control of filename parameters in PHP include/require statements. An attacker with network access can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other local files stored on the web server. While CVSS and EPSS scores are not publicly available, the vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require) and affects all installations of this plugin running version 3.5.1 or earlier.

A Local File Inclusion (LFI) vulnerability exists in Gavias Kunco WordPress theme versions prior to 1.4.5, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. This vulnerability enables information disclosure attacks where sensitive files such as configuration files, source code, or system files could be exposed to unauthenticated or low-privileged attackers. No CVSS score or EPSS data is currently available, but the vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement), a critical class of PHP-based remote/local file inclusion flaws.

A Local File Inclusion (LFI) vulnerability exists in the CreativeWS Kiddy WordPress theme through version 2.0.8, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. An attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other locally stored data without requiring authentication or special privileges. While no CVSS score or EPSS data is currently available, the vulnerability is actively tracked by multiple security intelligence sources including Patchstack and ENISA, indicating confirmed exploitability.

A Local File Inclusion (LFI) vulnerability exists in CreativeWS VintWood WordPress theme versions up to and including 1.1.8, stemming from improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential information. No CVSS score, EPSS data, or KEV status is currently available, but the issue is documented across multiple security intelligence sources including Patchstack and ENISA.

A Local File Inclusion (LFI) vulnerability exists in CreativeWS Trendustry WordPress theme versions up to 1.1.4, allowing attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. This vulnerability can lead to information disclosure by allowing attackers to read sensitive files on the server without requiring authentication or special privileges. While no CVSS or EPSS scores are currently published, the LFI classification and information disclosure impact indicate this represents a significant security risk for affected installations.

A Local File Inclusion (LFI) vulnerability exists in CreativeWS MetaMax theme versions up to and including 1.1.4, allowing attackers to include and execute arbitrary local files through improper handling of PHP include/require statements. An unauthenticated remote attacker can exploit this to disclose sensitive files, read configuration data containing credentials, or potentially achieve remote code execution by including files with executable content. While no CVSS score or EPSS data is currently available, the vulnerability has been confirmed and documented by Patchstack with a direct reference to the affected WordPress theme.

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Rosebud WordPress theme through version 1.4, allowing attackers to include and execute arbitrary local files on the server via improper control of filename parameters in PHP include/require statements. This vulnerability enables information disclosure and potential remote code execution by reading sensitive files or including PHP files from the web root. No active exploitation in the wild has been publicly confirmed, but the vulnerability affects all installations of Rosebud up to and including version 1.4.

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Deston WordPress theme through version 1.0, allowing attackers to read arbitrary files from the server filesystem via improper control of filename parameters in PHP include/require statements. This vulnerability, classified as CWE-98 (PHP Remote File Inclusion), enables information disclosure attacks where sensitive files such as configuration files, database credentials, or source code could be exposed. The vulnerability affects all versions of Deston up to and including 1.0, and has been documented by Patchstack with an EUVD ID (EUVD-2026-15787), though CVSS scoring and KEV status are not yet available.

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Amfissa WordPress theme through version 1.1, allowing attackers to improperly control filenames in PHP include/require statements. This vulnerability enables unauthorized information disclosure by reading arbitrary local files from the affected server. The issue stems from improper input validation on file inclusion parameters and affects all versions of Amfissa up to and including version 1.1.

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Emaurri WordPress theme through version 1.0.1, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling information disclosure and potential remote code execution depending on file access and PHP configuration. While CVSS and EPSS scores are not available, the attack vector appears to be network-based with low complexity, and the vulnerability has been documented by Patchstack but exploitation status and proof-of-concept availability require verification from primary sources.

A Local File Inclusion (LFI) vulnerability exists in Mikado-Themes' MultiOffice WordPress theme versions up to and including 1.2, stemming from improper control of filenames in PHP include/require statements. An attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, database credentials, or other confidential information. No CVSS score, EPSS data, or active exploitation (KEV) status has been assigned to this vulnerability.

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes LuxeDrive WordPress theme (version 1.0 and earlier) that allows attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other system files without requiring special privileges or user interaction. While no CVSS score or EPSS data is currently available, the vulnerability class (CWE-98: Improper Control of Filename for Include/Require Statement) indicates a high-severity condition with straightforward exploitation mechanics.

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Belfort WordPress theme version 1.0 and earlier, allowing attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. While classified as a Remote File Inclusion vulnerability in the CVE description, the actual impact is Local File Inclusion, enabling information disclosure through the reading of sensitive files such as configuration files, database credentials, and source code. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability's nature suggests moderate to high real-world risk given the prevalence of WordPress themes and the ease of exploitation.

A Local File Inclusion (LFI) vulnerability exists in Elated-Themes' The Aisle Core WordPress plugin through version 2.0.5, stemming from improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential information. No CVSS score, EPSS data, or active KEV status is currently available, but the vulnerability has been publicly documented by Patchstack and assigned EUVD-2026-15765.

A Local File Inclusion (LFI) vulnerability exists in Mikado-Themes Curly Core plugin for WordPress through version 2.1.6, allowing improper control of filenames in PHP include/require statements. Attackers can exploit this to read arbitrary local files from the affected server, potentially disclosing sensitive configuration files, database credentials, and other confidential data. No CVSS score or EPSS data is currently available, and KEV/active exploitation status is unknown, but the vulnerability has been documented by Patchstack with a public reference URL.

A Local File Inclusion (LFI) vulnerability exists in TieLabs Jannah WordPress theme through version 7.6.3, stemming from improper control of filename parameters in PHP include/require statements. An attacker can exploit this vulnerability to read arbitrary local files from the affected server, potentially disclosing sensitive configuration files, credentials, or source code. No CVSS score, EPSS data, or active KEV listing is currently available, but the LFI classification and information disclosure impact indicate moderate to high real-world risk depending on server configuration and file permissions.

The Select-Themes Moments WordPress theme versions 2.2 and earlier contain a Local File Inclusion (LFI) vulnerability that allows attackers to improperly control filename parameters in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, source code, or other confidential information. While no CVSS score or EPSS data is currently available and no active KEV listing is confirmed, the vulnerability is catalogued by Patchstack and has been assigned EUVD-2026-15740, indicating documented exploitation potential.

A Local File Inclusion (LFI) vulnerability exists in the Select-Themes Mixtape WordPress theme through version 2.1, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling information disclosure and potential remote code execution depending on file accessibility. While no CVSS score or EPSS data is currently available, the LFI classification and PHP nature of the vulnerability indicate moderate to high exploitability with network-based attack vectors.

A Local File Inclusion (LFI) vulnerability exists in jwsthemes IdealAuto WordPress theme versions prior to 3.8.6, where improper control of filenames in PHP include/require statements allows attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, and other system files. This vulnerability has been documented by Patchstack and tracked under EUVD-2026-15701; no CVSS score is currently assigned, though the tags indicate it enables information disclosure through PHP-based file inclusion.

A Local File Inclusion (LFI) vulnerability exists in the JWSThemes LoveDate WordPress theme through version 3.8.5, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. The vulnerability affects all versions of LoveDate prior to 3.8.6, and an attacker can exploit this to disclose sensitive information such as configuration files, database credentials, and other system files without requiring authentication or special privileges.

A PHP Local File Inclusion (LFI) vulnerability exists in jwsthemes Feedy theme versions prior to 2.1.5, stemming from improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential information. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement) and was reported by Patchstack, affecting WordPress installations using the vulnerable Feedy theme.

A Local File Inclusion (LFI) vulnerability exists in jwsthemes StreamVid WordPress theme versions prior to 6.8.6, where improper control of filename parameters in PHP include/require statements allows attackers to read arbitrary files from the server. The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been documented by Patchstack with ENISA tracking ID EUVD-2026-15696. While no CVSS score or EPSS data is currently published, the LFI classification indicates potential for sensitive information disclosure including configuration files, source code, and credentials.

A Local File Inclusion (LFI) vulnerability exists in the NaturaLife Extensions WordPress plugin (versions up to 2.1) due to improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially leading to sensitive information disclosure such as configuration files, database credentials, and application source code. No CVSS score, EPSS data, or active KEV status is available, but the vulnerability is confirmed by Patchstack and tracked under EUVD-2026-15617.

AncoraThemes Wizor's investment theme for WordPress versions through 2.12 contains a Local File Inclusion (LFI) vulnerability that allows attackers to include and execute arbitrary local files on the server through improper handling of filename parameters in PHP include/require statements. This vulnerability enables information disclosure and potential remote code execution depending on server configuration and available files. While no CVSS score or EPSS data has been assigned, the vulnerability is tracked in the ENISA EUVD database (EUVD-2026-15532) and was reported by Patchstack, indicating active security research and likely proof-of-concept availability.

A Local File Inclusion (LFI) vulnerability exists in AncoraThemes VegaDays WordPress theme through version 1.2.0, allowing improper control of filenames in PHP include/require statements. Attackers can leverage this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, database credentials, and other confidential data. While no CVSS score or EPSS data is currently available and KEV status is unknown, the vulnerability is classified as an information disclosure issue with a straightforward exploitation path typical of LFI vulnerabilities in WordPress themes.

This is a Local File Inclusion (LFI) vulnerability in AncoraThemes Unica WordPress theme versions up to and including 1.4.1, where improper control of filenames in PHP include/require statements allows attackers to read arbitrary local files from the affected server. An unauthenticated remote attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other sensitive data stored on the server. The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been documented by Patchstack with ENISA EUVD tracking ID EUVD-2026-15528.

A Local File Inclusion (LFI) vulnerability exists in AncoraThemes Triompher WordPress theme versions up to and including 1.1.0, caused by improper control of filename parameters in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the server, leading to information disclosure of sensitive data such as configuration files, database credentials, and other system files. No CVSS score, EPSS data, or known exploitation in the wild (KEV status) has been published, but the vulnerability is confirmed and documented by Patchstack with an available reference.

A security vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes NeoBeat WordPress theme through version 1.2, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. The vulnerability enables information disclosure attacks where an attacker can access sensitive files such as configuration files, database credentials, and source code without requiring authentication or special privileges. This is a CWE-98 vulnerability that transforms what was initially reported as PHP Remote File Inclusion (RFI) into a confirmed Local File Inclusion attack vector.

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Gioia WordPress theme through version 1.4, allowing improper control of filenames in PHP include/require statements. Attackers can leverage this vulnerability to read sensitive local files from the affected web server, potentially disclosing configuration files, database credentials, or other confidential information. The vulnerability affects all installations of Gioia version 1.4 and earlier, with no CVSS or EPSS scoring data currently available, though the CWE-98 classification and LFI nature suggest moderate to high practical risk.

A Local File Inclusion (LFI) vulnerability exists in the AncoraThemes Dentalux WordPress theme through version 3.3, allowing attackers to include and execute arbitrary local files on the server. This vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling attackers to read sensitive files or execute malicious code without requiring authentication. While no CVSS score or EPSS probability is currently available, the LFI classification and information disclosure tags indicate this poses a significant risk for unauthorized file access and potential remote code execution.

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Amoli WordPress theme version 1.0 and earlier, stemming from improper control of filenames in PHP include/require statements. An attacker can exploit this weakness to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, database credentials, or other confidential information. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been documented by Patchstack with ENISA EUVD identifier EUVD-2026-15514.

A security vulnerability in ThemeREX ProLingua prolingua allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

A Local File Inclusion (LFI) vulnerability exists in the ThemeREX Nelson WordPress theme through version 1.2.0, allowing attackers to read arbitrary files from the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling information disclosure attacks without authentication. While no CVSS score or EPSS data is currently available, the LFI classification and public disclosure via Patchstack indicate this is a genuine security concern affecting WordPress installations using vulnerable Nelson theme versions.

A Local File Inclusion (LFI) vulnerability exists in AncoraThemes Mr. Cobbler WordPress theme through version 1.1.9, stemming from improper control of filenames in PHP include/require statements (CWE-98). An attacker can exploit this vulnerability to disclose sensitive local files from the affected server by manipulating include parameters. While no CVSS score or EPSS data is currently available and KEV status is unknown, the vulnerability is classified as high-severity due to its information disclosure impact and the ease with which LFI vulnerabilities are typically exploited.

This vulnerability is a Local File Inclusion (LFI) flaw in the Elated-Themes Lella WordPress theme that allows improper control of filename parameters in PHP include/require statements, enabling attackers to read arbitrary files from the affected server. The vulnerability affects Lella theme versions through 1.2, and while CVSS and EPSS scores are not available, the nature of LFI vulnerabilities typically permits information disclosure of sensitive files such as configuration files, database credentials, and source code. No KEV status or public proof-of-concept has been confirmed in this intelligence dataset, but the vulnerability was reported by Patchstack, a reputable WordPress security researcher.

A Local File Inclusion (LFI) vulnerability exists in the Laurent WordPress theme (versions up to 3.1) due to improper control of filenames in PHP include/require statements, allowing attackers to read arbitrary files from the affected server. This vulnerability, reported by Patchstack and tracked as EUVD-2026-15503, enables information disclosure attacks without requiring authentication or special privileges. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP) and affects all installations of Laurent theme version 3.1 and earlier.

A Local File Inclusion (LFI) vulnerability exists in the AncoraThemes Hypnotherapy WordPress theme through version 1.2.10, allowing attackers to read arbitrary files from the affected server by manipulating filename parameters in PHP include/require statements. This vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement) and enables information disclosure attacks. The vulnerability has been documented by Patchstack and assigned EUVD ID EUVD-2026-15502, though no CVSS score or CVSS vector has been formally assigned, and active exploitation status remains unconfirmed in public intelligence.

AncoraThemes Greenville WordPress theme versions up to and including 1.3.2 contain a Local File Inclusion (LFI) vulnerability resulting from improper control of filenames in PHP include/require statements (CWE-98). An attacker can exploit this vulnerability to read arbitrary files from the affected server, leading to information disclosure of sensitive configuration files, source code, and other locally stored data. No CVSS score, EPSS probability, or KEV status have been assigned at this time, though the vulnerability has been formally documented by Patchstack and assigned an ENISA EUVD ID.

A Local File Inclusion (LFI) vulnerability exists in the ThemeREX Good Homes WordPress theme through version 1.3.13, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling unauthenticated attackers to disclose sensitive information or achieve remote code execution by accessing system files. No CVSS score, EPSS data, or active KEV designation was reported, but the LFI classification and information disclosure impact indicate this requires prompt patching.

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Gaspard WordPress theme through version 1.3, stemming from improper control of filenames in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive information such as configuration files, database credentials, or other sensitive data. The vulnerability affects all versions up to and including 1.3, and while no CVSS score or EPSS data is currently published, the LFI classification and information disclosure impact indicate this requires prompt remediation.

Uptime Kuma versions 1.23.0 through 2.2.0 contain an incomplete Server-Side Template Injection (SSTI) vulnerability in the LiquidJS templating engine that allows authenticated attackers to read arbitrary files from the server. A prior fix (GHSA-vffh-c9pq-4crh) attempted to restrict file path access through three mitigation options (root, relativeReference, dynamicPartials), but this fix only blocks quoted paths; attackers can bypass the mitigation by using unquoted absolute paths like /etc/passwd that successfully resolve through the require.resolve() fallback mechanism in liquid.node.js. The vulnerability requires low privileges (authenticated access) but can result in high confidentiality impact, making it a notable information disclosure risk for self-hosted monitoring deployments.

A PHP Local File Inclusion vulnerability exists in the ThemeREX Melania WordPress theme, allowing remote attackers to include and execute arbitrary local files on the server. All versions up to and including 2.5.0 are affected. The CVSS score of 8.1 indicates high severity with network-based attack vector, though attack complexity is rated as high; there is no evidence of active exploitation (not in KEV) or public proof-of-concept at this time.

ThimPress BuilderPress, a WordPress plugin, contains a Local File Inclusion vulnerability through improper filename control in PHP include/require statements that allows unauthenticated remote attackers to read arbitrary files from the server. All versions through 2.0.1 are affected. With a CVSS score of 9.8 (Critical) and no authentication required, this represents a severe vulnerability allowing unauthorized information disclosure, though EPSS and KEV status data are not provided in the intelligence sources.

A PHP remote/local file inclusion vulnerability exists in the Ovatheme Tripgo WordPress theme due to improper control of filename parameters in include/require statements. Versions prior to 1.5.6 are affected, allowing unauthenticated remote attackers to potentially include arbitrary files and execute malicious code. This vulnerability has a CVSS score of 8.1 (High) with network attack vector but high attack complexity, and has been reported by Patchstack as exploitable for local file inclusion and information disclosure.

The NextGEN Gallery plugin for WordPress contains a Local File Inclusion vulnerability in the 'template' parameter of gallery shortcodes, affecting all versions up to and including 4.0.3. Authenticated attackers with Author-level privileges or higher can include and execute arbitrary PHP files on the server, potentially leading to remote code execution, data theft, or complete site compromise. This is a confirmed vulnerability reported by Wordfence with a high CVSS score of 8.8, though no active exploitation (KEV) status has been reported at this time.

LDAP Account Manager (LAM), a web-based interface for managing LDAP directory entries, contains a local file inclusion vulnerability in its PDF export functionality that allows authenticated users to include and execute arbitrary PHP files. When chained with GHSA-88hf-2cjm-m9g8, this vulnerability enables complete remote code execution on the affected server. The vulnerability affects all versions prior to 9.5 and requires low-privilege authentication (CVSS 8.8, PR:L), tracking across 7 Ubuntu and 4 Debian releases indicates significant deployment in enterprise LDAP environments.

A PHP remote file inclusion vulnerability exists in themelexus Medilazar Core WordPress plugin that allows attackers to include arbitrary PHP files from local or remote sources, potentially leading to remote code execution. The vulnerability affects all versions of Medilazar Core prior to 1.4.7 and requires low privileges but high attack complexity to exploit. While not currently listed in CISA KEV or showing high EPSS scores, the potential for code execution makes this a serious concern for WordPress sites using this medical/healthcare theme framework.

Sprout Invoices Client Invoicing versions 20.8.9 and earlier contain a local file inclusion vulnerability in PHP that allows authenticated attackers with high privileges to read arbitrary files on the affected server. An attacker exploiting this vulnerability could access sensitive configuration files, source code, or other confidential data without requiring user interaction. No patch is currently available for this vulnerability.

A PHP remote file inclusion vulnerability exists in the ThemetechMount Boldman theme that allows attackers to include arbitrary local files, potentially leading to remote code execution. The vulnerability affects all Boldman theme versions up to and including version 7.7, enabling authenticated attackers with low privileges to compromise the system through malicious file inclusion. While not currently listed in CISA's KEV catalog, the vulnerability has a moderate CVSS score of 7.5 and requires some attack complexity to exploit successfully.

Greenly Theme Addons for PHP versions prior to 8.2 contain a local file inclusion vulnerability in filename handling that allows authenticated attackers to read arbitrary files on the affected server. An attacker with valid credentials can exploit improper input validation to include and execute local files, potentially leading to information disclosure or code execution. No patch is currently available for this vulnerability.

Local file inclusion in Greenly through version 8.1 allows authenticated attackers to read arbitrary files on the server due to improper input validation in file inclusion functions. The vulnerability requires valid credentials but no user interaction, enabling attackers with PHP access to potentially escalate privileges or extract sensitive data. No patch is currently available for this high-severity vulnerability affecting the PHP-based Greenly application.

WpBookingly plugin versions 1.2.9 and earlier contain a local file inclusion vulnerability in their service-booking-manager component that allows authenticated attackers to read arbitrary files from the affected server. An attacker with valid credentials can exploit improper filename validation in PHP include/require statements to access sensitive information on the system. No patch is currently available for this vulnerability.

Medilink-Core versions before 2.0.7 contain a local file inclusion vulnerability in PHP that allows authenticated attackers to read arbitrary files on the affected system through improper handling of file inclusion statements. An attacker with valid credentials can exploit this weakness to access sensitive information without requiring user interaction. No patch is currently available for this vulnerability.

Turbo Manager versions below 4.0.8 contain a local file inclusion vulnerability in PHP file handling that allows authenticated attackers to include and execute arbitrary files on the system. An attacker with valid credentials can leverage improper filename validation to access sensitive files or achieve code execution. No patch is currently available, and exploitation requires network access with valid authentication credentials.

LFI to RCE in IFTOP by WellChoose.

Openclaw versions up to 2026.2.14 contains a vulnerability that allows attackers to read arbitrary files from the local filesystem (CVSS 7.5).

Local file inclusion in axiomthemes Little Birdies plugin version 1.3.16 and earlier enables unauthenticated remote attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. An attacker can exploit this vulnerability to access sensitive configuration files, source code, or other data without authentication. No patch is currently available for this vulnerability.

Local file inclusion in ThemeREX Verse PHP theme versions 1.7.0 and earlier allows unauthenticated attackers to read arbitrary files on the server through improper input validation on file inclusion functions. The vulnerability requires specific conditions for exploitation but carries high impact potential including confidentiality and integrity compromise. No patch is currently available.

Local file inclusion in AncoraThemes Midi through version 1.14 enables unauthenticated remote attackers to read arbitrary files on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing attackers to traverse directories and access sensitive data. Currently no patch is available for this vulnerability.

AncoraThemes Notarius through version 1.9 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this high-severity flaw.

AncoraThemes Veil through version 1.9 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the affected server. The vulnerability stems from improper input validation on file include/require statements, enabling attackers to manipulate filename parameters to access sensitive system files. While no patch is currently available, the exploit requires specific conditions (high complexity) to successfully leverage.

Local and remote file inclusion in AncoraThemes Anderson through version 1.4.2 enables attackers to read arbitrary files or execute malicious code on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing unauthenticated attackers to manipulate input parameters over the network. No patch is currently available for this high-severity issue affecting PHP-based installations.

Local file inclusion in ThemeREX Dr.Patterson plugin versions up to 1.3.2 enables unauthenticated attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. The vulnerability allows information disclosure and potential code execution depending on server configuration and accessible files. No patch is currently available for this vulnerability.

Axiomthemes Nirvana version 2.6 and earlier contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper filename validation and could enable information disclosure or facilitate further compromise, though no patch is currently available. With a CVSS score of 8.1 and low exploitation likelihood (0.2% EPSS), organizations running affected versions should prioritize mitigation strategies until an official patch is released.