Local File Inclusion
Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's `include()`, `require()`, or `fopen()`.
How It Works
Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's include(), require(), or fopen(). The attacker manipulates file path parameters—often using directory traversal sequences like ../ or absolute paths—to access files outside the intended directory. For example, a URL parameter ?page=dashboard might be vulnerable if changed to ?page=../../../../etc/passwd.
Modern LFI exploitation extends beyond simple file reading. Attackers leverage PHP wrappers like php://filter to apply encoding filters that bypass content restrictions. The php://filter/convert.base64-encode wrapper allows reading PHP source code without execution, exposing credentials and logic flaws. More sophisticated attacks chain multiple filters together to construct executable PHP code from seemingly harmless character transformations.
Log poisoning escalates LFI to remote code execution by injecting malicious PHP code into log files (access logs, error logs, email logs), then using the LFI vulnerability to include and execute those logs. Attackers can also abuse data wrappers (data://text/plain,<?php system($_GET['cmd']);?>) or expect:// protocol handlers depending on server configuration.
Impact
- Source code disclosure — exposing application logic, API keys, database credentials, and proprietary algorithms
- Configuration file access — reading database connection strings, encryption keys, cloud service credentials from config files
- Sensitive data extraction — accessing
/etc/passwd, SSH keys, user data files, session tokens - Remote code execution — through log poisoning, wrapper abuse, or including uploaded files containing malicious code
- Lateral movement preparation — gathering internal network details, service configurations, and authentication mechanisms
Real-World Examples
The osTicket CVE-2022-22200 vulnerability demonstrated advanced filter chain exploitation where attackers injected a PHP filter chain into a ticket's CSS style attribute. The malicious payload bypassed the htmLawed HTML sanitizer using strategic whitespace, then exploited mPDF's processing of php:// wrappers after URL-decoding. This allowed arbitrary file reading that escalated to RCE through chained filter operations.
phpMyAdmin has experienced multiple LFI vulnerabilities where attackers manipulated theme selection or language file parameters to include arbitrary files, often combining this with session file poisoning to achieve code execution. Content management systems like WordPress plugins frequently expose LFI through template loading mechanisms where developers fail to validate file path inputs properly.
Mitigation
- Eliminate dynamic file inclusion — use routing tables or switch statements mapping IDs to hardcoded file paths instead of concatenating user input
- Strict allowlisting — maintain explicit arrays of permitted files; validate user input against this list, never use input directly in paths
- Disable dangerous PHP wrappers — set
allow_url_include=0andallow_url_fopen=0in php.ini; disableexpect://,phar://, anddata://wrappers - Implement path canonicalization — resolve paths with
realpath(), verify they remain within allowed directories usingstrpos()checks - Apply least privilege — run web applications with minimal file system permissions, preventing access to sensitive system files
- Input validation — reject any input containing
../, absolute paths, null bytes, or protocol specifiers
Recent CVEs (1172)
A security vulnerability in codesupplyco Networker allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab Zikzag Core allows PHP Local File Inclusion. This issue affects Zikzag Core: from n/a through 1.4.5.
A security vulnerability in thembay Greenmart allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Fastw3b LLC FW Gallery allows PHP Local File Inclusion. This issue affects FW Gallery: from n/a through 8.0.0.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case-Themes CTUsers allows PHP Local File Inclusion. This issue affects CTUsers: from n/a through 1.0.0.
A security vulnerability in thembay Puca allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in serpednet SERPed.net allows PHP Local File Inclusion. This issue affects SERPed.net: from n/a through 4.6.
A security vulnerability in snstheme SNS Vicky allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.
A remote code execution vulnerability (CVSS 8.1). High severity vulnerability requiring prompt remediation.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme PrintXtore allows PHP Local File Inclusion.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Zenny allows PHP Local File Inclusion. This issue affects Zenny: from n/a through 1.7.5.
A security vulnerability in goalthemes Sofass allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Samex - Clean, Minimal Shop WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects Samex - Clean, Minimal Shop WooCommerce WordPress Theme: from n/a through 2.6.
CVE-2025-52715 is a PHP Local File Inclusion (LFI) vulnerability in RadiusTheme's Classified Listing plugin that allows authenticated attackers to include and execute arbitrary local files through improper filename validation in PHP include/require statements. The vulnerability affects Classified Listing versions up to 4.2.0, and while the CVSS score of 7.5 indicates high severity, exploitation requires local authentication and non-standard attack complexity, suggesting moderate real-world risk absent evidence of active exploitation or public proof-of-concept.
CVE-2025-52708 is a PHP Local File Inclusion (LFI) vulnerability in RealMag777 HUSKY versions up to 1.3.7, stemming from improper control of filenames in include/require statements. An authenticated attacker with low-to-medium privilege requirements can exploit this remotely to read arbitrary files from the server filesystem, potentially leading to information disclosure, code execution, or system compromise. The CVSS 7.5 score and requirement for authenticated access (PR:L) suggest moderate real-world risk; active exploitation status and POC availability are not confirmed from available data, but the vulnerability class (CWE-98 RFI/LFI) is historically high-value for attackers.
Local File Inclusion (LFI) vulnerability in Trend Micro Apex Central widgets (versions below 8.0.6955) that allows authenticated attackers to include and execute arbitrary PHP files, achieving remote code execution on affected systems. The vulnerability requires low-level user authentication and moderate attack complexity but carries high impact across confidentiality, integrity, and availability. Active exploitation status and proof-of-concept availability have not been confirmed from the provided data, but the authentication requirement and network accessibility make this a credible threat to deployed Apex Central instances.
Local File Inclusion (LFI) vulnerability in Trend Micro Apex Central widgets that enables remote code execution (RCE) on affected systems. This vulnerability affects Trend Micro Apex Central installations below version 8.0.6955 and requires an authenticated attacker with low privileges to exploit. The vulnerability combines LFI with RCE capabilities, representing a significant threat to organizations using vulnerable Apex Central deployments.
PHP Local/Remote File Inclusion (LFI/RFI) vulnerability in LoftOcean CozyStay that allows unauthenticated remote attackers to include and execute arbitrary files through improper control of filename parameters in PHP include/require statements. The vulnerability affects CozyStay with a CVSS score of 8.1 (High severity), enabling attackers to read sensitive files, execute arbitrary code, or compromise system integrity without requiring user interaction or authentication.
PHP Local/Remote File Inclusion (LFI/RFI) vulnerability in thembay Diza affecting versions through 1.3.8, stemming from improper control of filenames in include/require statements (CWE-98). An unauthenticated network attacker can exploit this with high complexity to achieve arbitrary file inclusion, leading to information disclosure, code execution, or system compromise. The high CVSS score of 8.1 reflects the severity of potential impacts (confidentiality, integrity, and availability), though real-world exploitability depends on PHP configuration and the specific include/require patterns in affected code.
A security vulnerability in thembay Aora allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.
PHP Local File Inclusion (LFI) vulnerability in thembay Hara that allows unauthenticated remote attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. Affected versions range from an unspecified baseline through version 1.2.10. While the CVSS score of 8.1 is elevated, the attack complexity is rated 'High,' suggesting real-world exploitation requires specific environmental conditions or timing.
PHP Local File Inclusion (LFI) vulnerability in thembay Maia versions up to 1.1.15, caused by improper control of filenames in PHP include/require statements (CWE-98). An unauthenticated remote attacker can exploit this over the network with high complexity to read arbitrary files on the server, potentially leading to code execution, information disclosure, and system compromise. The vulnerability has a CVSS 3.1 score of 8.1 (High severity) with network accessibility and no privilege requirements, though exploitation requires non-standard conditions (AC:H).
A security vulnerability in thembay Zota allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.
PHP Local File Inclusion (LFI) vulnerability in thembay Sapa that allows unauthenticated remote attackers to include and execute arbitrary PHP files through improper input validation on filename parameters in include/require statements. Affected versions range from an unspecified baseline through version 1.1.14. With a CVSS score of 8.1 and network-accessible attack vector, this vulnerability enables confidentiality, integrity, and availability compromise, though exploitation requires high attack complexity (AC:H) suggesting non-trivial preconditions.
PHP Local File Inclusion (LFI) vulnerability in thembay Ruza versions up to 1.0.7, stemming from improper control of filename parameters in PHP include/require statements. An unauthenticated remote attacker can exploit this vulnerability over the network to read arbitrary files from the server and potentially execute code, achieving high confidentiality, integrity, and availability impact. The CVSS score of 8.1 reflects significant risk, though the attack complexity is marked as high, suggesting exploitation may require specific conditions or user interaction timing.
PHP Local File Inclusion (LFI) vulnerability in thembay Nika theme versions through 1.2.8, caused by improper control of filename parameters in PHP include/require statements (CWE-98). An unauthenticated remote attacker can exploit this vulnerability over the network to read arbitrary files from the server filesystem, potentially leading to information disclosure, code execution, or system compromise. The CVSS score of 8.1 (High) reflects significant confidentiality and integrity impact, though the AC:H (Attack Complexity: High) rating suggests some exploitation difficulty; KEV status and active exploitation data would further clarify immediate risk priority.
PHP Local File Inclusion (LFI) vulnerability in thembay Lasa versions up to 1.1, caused by improper control of filename parameters in PHP include/require statements. This allows unauthenticated remote attackers to include and execute arbitrary local files on the server, potentially leading to remote code execution, information disclosure, and system compromise. The high CVSS score of 8.1 reflects the severity of this vulnerability, though the high attack complexity (AC:H) suggests exploitation may require specific environmental conditions or knowledge of the target system.
PHP Local File Inclusion (LFI) vulnerability in thembay Besa versions through 2.3.8, stemming from improper control of filenames in include/require statements (CWE-98). An unauthenticated remote attacker can exploit this via a network vector with high complexity to achieve arbitrary file read/write capabilities, potentially leading to remote code execution. The high CVSS score of 8.1 reflects the severity of the confidentiality, integrity, and availability impact, though real-world exploitation requires specific conditions given the AC:H rating.
PHP Local File Inclusion (LFI) vulnerability in thembay Fana versions through 1.1.28 that allows unauthenticated remote attackers to include and execute arbitrary files through improper control of filename parameters in PHP include/require statements. The high CVSS score of 8.1 reflects the potential for confidentiality, integrity, and availability impact, though the 'H' attack complexity suggests exploitation requires specific conditions or knowledge of the application architecture. No publicly confirmed KEV or widespread active exploitation is documented, but the 2025 CVE date indicates this is a recently disclosed vulnerability requiring immediate attention from Fana users.
A security vulnerability in mojoomla School Management allows PHP Local File Inclusion (CVSS 7.5). High severity vulnerability requiring prompt remediation.
A security vulnerability in mojoomla WPGYM allows PHP Local File Inclusion (CVSS 7.5). High severity vulnerability requiring prompt remediation.
PHP Local File Inclusion (LFI) vulnerability in snstheme Simen versions through 4.6 that allows unauthenticated remote attackers to include and execute arbitrary local files via improper control of filename parameters in PHP include/require statements. With a CVSS score of 8.1 and network-based attack vector, this vulnerability enables confidentiality, integrity, and availability compromise; however, the high attack complexity suggests exploitation requires specific conditions or knowledge of the target environment.
PHP Local File Inclusion (LFI) vulnerability in the snstheme Evon WordPress theme (versions up to 3.4) that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. An attacker can exploit this via a network attack with high complexity to achieve arbitrary code execution, data exfiltration, and system compromise. The vulnerability stems from improper input validation on filename parameters passed to PHP include/require statements.
PHP Local File Inclusion (LFI) vulnerability in the snstheme DSK WordPress theme (versions up to 2.2) that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. The vulnerability stems from improper input validation on filename parameters in PHP include/require statements, potentially enabling attackers to read sensitive files, execute code, or compromise the entire WordPress installation. This is a high-severity issue (CVSS 8.1) affecting a popular theme, though real-world exploitation requires moderate attack complexity (AC:H).
A remote code execution vulnerability in all (CVSS 8.1). High severity vulnerability requiring prompt remediation.
PHP Local File Inclusion (LFI) vulnerability in LoftOcean TinySalt versions before 3.10.0, caused by improper control of filenames in PHP include/require statements (CWE-98). An unauthenticated remote attacker can exploit this network-accessible vulnerability with moderate complexity to read arbitrary files, execute code, and potentially achieve remote code execution, though exploitation requires specific conditions due to high attack complexity. The vulnerability has not been confirmed as actively exploited in the wild (KEV status unknown), but represents a critical risk for exposed TinySalt installations.
PHP Local File Inclusion (LFI) vulnerability in Unfoldwp Magze versions up to 1.0.9 that allows unauthenticated remote attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. This is a network-accessible vulnerability with high attack complexity but complete impact on confidentiality, integrity, and availability (CVSS 8.1). The vulnerability likely affects WordPress plugin deployments where Magze is installed, and successful exploitation could lead to remote code execution through log poisoning or other LFI-to-RCE chains.
A security vulnerability in Unfoldwp Magways allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.
A security vulnerability in Unfoldwp Magty allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.
A security vulnerability in Unfoldwp Blogvy allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.
PHP Local File Inclusion (LFI) vulnerability in Unfoldwp Blogty plugin versions up to 1.0.11 that allows unauthenticated remote attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. The vulnerability has a CVSS score of 8.1 (High), indicating potential for confidentiality, integrity, and availability compromise. Active exploitation status and EPSS probability are critical factors in determining real-world risk severity.
PHP Local File Inclusion (LFI) vulnerability in Unfoldwp Blogprise WordPress plugin versions through 1.0.9, stemming from improper control of filename parameters in PHP include/require statements (CWE-98). An unauthenticated remote attacker can exploit this vulnerability over the network to read arbitrary files from the server filesystem, potentially leading to information disclosure, code execution, or further compromise. The CVSS 8.1 score reflects high severity with network accessibility and significant confidentiality/integrity/availability impact, though attack complexity is rated as high suggesting specific conditions must be met for exploitation.
PHP Local File Inclusion (LFI) vulnerability in Unfoldwp Blogmine versions up to 1.1.7 that allows unauthenticated remote attackers to include and execute arbitrary files on the server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements (CWE-98). While the CVSS score of 8.1 reflects high impact potential across confidentiality, integrity, and availability, the AC:H (Attack Complexity: High) suggests exploitation requires specific conditions; KEV status, EPSS probability, and public POC availability are critical factors for determining actual prioritization.
PHP Local File Inclusion (LFI) vulnerability in Unfoldwp Blogbyte versions through 1.1.1, stemming from improper control of filenames in PHP include/require statements. An unauthenticated remote attacker can exploit this vulnerability with high complexity to achieve arbitrary code execution, information disclosure, or service disruption. While the CVSS score of 8.1 reflects severe potential impact, the High attack complexity (AC:H) suggests exploitation requires specific conditions or timing, and KEV/active exploitation status and POC availability remain unconfirmed from available intelligence.
PHP Local File Inclusion (LFI) vulnerability in g5theme Essential Real Estate plugin versions through 5.2.1, allowing unauthenticated remote attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filename parameters in PHP include/require statements (CWE-98), enabling potential information disclosure, code execution, and system compromise. While the CVSS score of 8.1 indicates high severity with high confidentiality and integrity impact, real-world exploitation depends on server configuration, file system permissions, and available local files for inclusion.
Local File Inclusion (LFI) vulnerability in WP Event Manager WordPress plugin versions through 3.1.49 that allows unauthenticated remote attackers to include and execute arbitrary PHP files from the server filesystem. This CWE-98 vulnerability has a CVSS score of 8.1 (High severity) with high impact on confidentiality, integrity, and availability. While the vulnerability requires specific conditions (AC:H), its network accessibility and lack of authentication requirements make it a significant risk for affected WordPress installations.
PHP Local File Inclusion (LFI) vulnerability in magentech Revo versions up to 4.0.26 that allows unauthenticated remote attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. An attacker can exploit this to read sensitive files, execute code, or compromise the affected system; the vulnerability requires user interaction (UI:R) but carries high impact across confidentiality, integrity, and availability. While no public exploit code or KEV status is currently confirmed in available intelligence, the combination of network accessibility, high CVSS score (7.5), and file inclusion primitives makes this a notable risk for unpatched Revo installations.
PHP Local File Inclusion (LFI) vulnerability in Gavias Krowd versions up to 1.4.1 that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. The vulnerability stems from improper control of filename parameters in PHP include/require statements (CWE-98), enabling attackers to read sensitive files or execute malicious code with high complexity but high impact including confidentiality, integrity, and availability compromise. No public exploit code or active exploitation reports are currently available in standard vulnerability databases, but the high CVSS score (8.1) and network-accessible attack vector indicate significant risk for unpatched installations.
PHP Local File Inclusion (LFI) vulnerability in SNS Anton theme versions up to 4.1 that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. The vulnerability stems from improper input validation on filename parameters in PHP include/require statements (CWE-98), enabling attackers to read sensitive files or achieve remote code execution through log poisoning or other local file abuse techniques. With a CVSS score of 8.1 and network-based attack vector, this represents a critical risk to affected WordPress installations, particularly if actively exploited in the wild or if public proof-of-concept code is available.
A remote code execution vulnerability in snstheme Valen - Sport (CVSS 8.1). High severity vulnerability requiring prompt remediation.
PHP Local File Inclusion (LFI) vulnerability in the snstheme Avaz plugin that allows unauthenticated remote attackers to include arbitrary PHP files via improper control of filename parameters in include/require statements. The vulnerability affects Avaz versions through 2.8 and has a CVSS score of 8.1 (high severity), enabling attackers to execute arbitrary code, read sensitive files, and compromise system integrity without requiring authentication or user interaction.
PHP Local File Inclusion (LFI) vulnerability in BZOTheme GiftXtore versions through 1.7.4 that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. This is a high-severity vulnerability (CVSS 8.1) that can lead to complete system compromise including confidentiality, integrity, and availability breaches. The vulnerability stems from improper validation of filename parameters in PHP include/require statements, enabling attackers to access sensitive files or execute malicious code without authentication.
PHP Local File Inclusion (LFI) vulnerability in BZOTheme Petito versions up to 1.6.2 that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. The vulnerability exploits improper control of filename parameters in PHP include/require statements (CWE-98), enabling attackers to read sensitive files, execute code, or compromise server integrity with a CVSS score of 8.1 (High). While no public exploit code or KEV/EPSS data are confirmed in standard databases, the high CVSS and network accessibility make this a significant priority for affected organizations.
PHP Local File Inclusion (LFI) vulnerability in AncoraThemes Inset theme affecting versions through 1.18.0, allowing unauthenticated remote attackers to include and execute arbitrary local files on vulnerable servers. This CWE-98 vulnerability stems from improper control of filename parameters in PHP include/require statements, with a CVSS score of 8.1 (High) reflecting significant confidentiality, integrity, and availability impact. The moderate attack complexity (AC:H) suggests exploitation requires specific conditions or knowledge, though the network-accessible attack vector (AV:N) and lack of privilege requirements (PR:N) make this practically exploitable.
PHP Local File Inclusion (LFI) vulnerability in BZOTheme CraftXtore versions up to 1.7 that allows unauthenticated remote attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. The vulnerability has a CVSS score of 8.1 (high severity) with network accessibility and high impact to confidentiality, integrity, and availability. Exploitation requires moderate attack complexity but no user interaction or privileges, making it a significant risk if actively exploited or proof-of-concept code becomes public.
PHP Local File Inclusion (LFI) vulnerability in snstheme Nitan theme affecting versions through 2.9, allowing unauthenticated remote attackers to include and execute arbitrary local files on the server. While the CVSS score of 8.1 indicates high severity with potential for confidentiality, integrity, and availability impact, the attack complexity is marked as HIGH, suggesting exploitation requires specific conditions or server configurations. The vulnerability stems from improper validation of filename parameters in PHP include/require statements (CWE-98), a classic but dangerous class of web application flaws.
PHP Local File Inclusion (LFI) vulnerability in BZOTheme Fitrush versions up to 1.3.4 that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling attackers to read sensitive files or achieve remote code execution depending on server configuration. While the CVSS score is 8.1 (high severity), the CVSS vector indicates high attack complexity (AC:H), suggesting exploitation may require specific environmental conditions or knowledge of the target system's file structure.
A remote code execution vulnerability in snstheme BodyCenter - Gym (CVSS 8.1). High severity vulnerability requiring prompt remediation.
PHP Local File Inclusion (LFI) vulnerability in ovatheme BRW versions up to 1.8.6, stemming from improper control of filename parameters in include/require statements. An authenticated attacker with low privileges can exploit this to read arbitrary files from the server filesystem, potentially gaining access to sensitive configuration files, source code, or credentials. The vulnerability requires network access and authenticated user status (CWE-98 improper input validation on file paths), with a CVSS score of 7.5 indicating high confidentiality and integrity impact.
PHP Local File Inclusion (LFI) vulnerability in WP Travel Engine affecting versions through 6.5.1. An authenticated attacker with low privileges can exploit improper filename control in PHP include/require statements to read arbitrary files from the server, potentially obtaining sensitive configuration data, credentials, or source code. While the CVSS score is moderate (7.5), the vulnerability requires authentication and higher attack complexity, but successful exploitation could lead to complete information disclosure and potential privilege escalation.
PHP Local File Inclusion (LFI) vulnerability in Magazine3's WP Multilang plugin versions up to 2.4.19, stemming from improper control of filenames in PHP include/require statements. An authenticated attacker with low privileges can exploit this vulnerability to read arbitrary local files on the affected WordPress server, potentially leading to information disclosure, code execution, or system compromise. The CVSS score of 7.5 reflects high confidentiality and integrity impact, though exploitation requires valid credentials and non-standard conditions (AC:H).
PHP Local File Inclusion (LFI) vulnerability in the WP Shopify plugin (versions up to 1.5.3) that allows authenticated attackers to include and execute arbitrary local files on the web server through improper control of filename parameters in PHP include/require statements. The vulnerability requires low-privilege user access (PR:L) and has moderate attack complexity (AC:H), but results in complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H), making it a significant risk for WordPress sites using this plugin.
PHP Local File Inclusion (LFI) vulnerability in choicehomemortgage AI Mortgage Calculator versions up to 1.0.1, caused by improper input validation on file inclusion statements. An authenticated attacker with low privileges can exploit this vulnerability over the network to read arbitrary files from the server, potentially leading to information disclosure, privilege escalation, or remote code execution. The high CVSS score of 7.5 reflects the severity of potential impacts (confidentiality, integrity, availability compromise), though the requirement for authenticated access and high attack complexity somewhat limit real-world exploitability.
PHP Local File Inclusion (LFI) vulnerability in StylemixThemes Motors - Events plugin affecting versions up to 1.4.7, allowing unauthenticated remote attackers to include and execute arbitrary PHP files under certain conditions. With a CVSS score of 9.0 and network accessibility, this vulnerability enables complete system compromise through code execution. Active exploitation status and proof-of-concept availability should be verified through KEV database and security research databases.
A Local File Inclusion (LFI) vulnerability exists in Sitecom WLX-2006 Wall Mount Range Extender N300 v1.5 and before, which allows an attacker to manipulate the "language" cookie to include arbitrary files from the server. This vulnerability can be exploited to disclose sensitive information.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GoodLayers Tourmaster allows PHP Local File Inclusion.3.8. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange miniOrange Discord Integration allows PHP Local File Inclusion.2.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register allows PHP Local File. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Xylus Themes WP Smart Import allows PHP Local File Inclusion.1.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpjobportal WP Job Portal allows PHP Local File Inclusion.3.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SEUR OFICIAL SEUR Oficial allows PHP Local File Inclusion.2.23. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPFable Fable Extra allows PHP Local File Inclusion.0.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in svil4ok Meta Keywords & Description allows PHP Local File Inclusion.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scripteo Ads Pro Plugin allows PHP Local File Inclusion.88. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Nasa Core allows PHP Local File Inclusion.3.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër allows PHP Local File Inclusion. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Backpack Traveler allows PHP Local File Inclusion.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Healsoul allows PHP Local File Inclusion.0.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Winnex allows PHP Local File Inclusion.3.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Oxpitan allows PHP Local File Inclusion.3.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Yozi allows PHP Local File Inclusion.0.52. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Butcher allows PHP Local File Inclusion.40. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Ogami allows PHP Local File Inclusion.53. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Enzio - Responsive Business WordPress Theme allows PHP Local File. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kiamo - Responsive Business Service WordPress Theme allows PHP Local. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SpyroPress La Boom allows PHP Local File Inclusion.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Vizeon - Business Consulting allows PHP Local File Inclusion.1.7. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Capie allows PHP Local File Inclusion.0.40. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Local File Inclusion vulnerability in Vasco v3.14and before allows a remote attacker to obtain sensitive information via help menu. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FantasticPlugins SUMO Reward Points allows PHP Local File Inclusion.7.0. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Quick Facts
- Typical Severity
- HIGH
- Category
- web
- Total CVEs
- 1172