Skip to main content

Local File Inclusion

web HIGH

Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's `include()`, `require()`, or `fopen()`.

How It Works

Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's include(), require(), or fopen(). The attacker manipulates file path parameters—often using directory traversal sequences like ../ or absolute paths—to access files outside the intended directory. For example, a URL parameter ?page=dashboard might be vulnerable if changed to ?page=../../../../etc/passwd.

Modern LFI exploitation extends beyond simple file reading. Attackers leverage PHP wrappers like php://filter to apply encoding filters that bypass content restrictions. The php://filter/convert.base64-encode wrapper allows reading PHP source code without execution, exposing credentials and logic flaws. More sophisticated attacks chain multiple filters together to construct executable PHP code from seemingly harmless character transformations.

Log poisoning escalates LFI to remote code execution by injecting malicious PHP code into log files (access logs, error logs, email logs), then using the LFI vulnerability to include and execute those logs. Attackers can also abuse data wrappers (data://text/plain,<?php system($_GET['cmd']);?>) or expect:// protocol handlers depending on server configuration.

Impact

  • Source code disclosure — exposing application logic, API keys, database credentials, and proprietary algorithms
  • Configuration file access — reading database connection strings, encryption keys, cloud service credentials from config files
  • Sensitive data extraction — accessing /etc/passwd, SSH keys, user data files, session tokens
  • Remote code execution — through log poisoning, wrapper abuse, or including uploaded files containing malicious code
  • Lateral movement preparation — gathering internal network details, service configurations, and authentication mechanisms

Real-World Examples

The osTicket CVE-2022-22200 vulnerability demonstrated advanced filter chain exploitation where attackers injected a PHP filter chain into a ticket's CSS style attribute. The malicious payload bypassed the htmLawed HTML sanitizer using strategic whitespace, then exploited mPDF's processing of php:// wrappers after URL-decoding. This allowed arbitrary file reading that escalated to RCE through chained filter operations.

phpMyAdmin has experienced multiple LFI vulnerabilities where attackers manipulated theme selection or language file parameters to include arbitrary files, often combining this with session file poisoning to achieve code execution. Content management systems like WordPress plugins frequently expose LFI through template loading mechanisms where developers fail to validate file path inputs properly.

Mitigation

  • Eliminate dynamic file inclusion — use routing tables or switch statements mapping IDs to hardcoded file paths instead of concatenating user input
  • Strict allowlisting — maintain explicit arrays of permitted files; validate user input against this list, never use input directly in paths
  • Disable dangerous PHP wrappers — set allow_url_include=0 and allow_url_fopen=0 in php.ini; disable expect://, phar://, and data:// wrappers
  • Implement path canonicalization — resolve paths with realpath(), verify they remain within allowed directories using strpos() checks
  • Apply least privilege — run web applications with minimal file system permissions, preventing access to sensitive system files
  • Input validation — reject any input containing ../, absolute paths, null bytes, or protocol specifiers

Recent CVEs (1172)

EPSS 2% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehorse Meta News meta-news.1.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
EPSS 2% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehorse NewsCard newscard.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
EPSS 2% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wdesco Advanced Online Ordering and Delivery Platform. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

The WordPress Post Grid Layouts with Pagination - Sogrid plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.6 via the 'tab' parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

LFI Information Disclosure PHP +3
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehorse Mags mags.1.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
EPSS 3% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Qode Qi Blocks qi-blocks.3.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
EPSS 2% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ramjon27 Dynamic Elementor Addons dynamic-elementor-addons allows PHP Local. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP +1
NVD VulDB
EPSS 5% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ZIPANG Point Maker point-maker allows PHP Local File Inclusion.1.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
EPSS 4% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Acnoo Maan Addons For Elementor maan-elementor-addons allows Local Code. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
EPSS 3% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hung Trang Si SB Random Posts Widget sb-random-posts-widget allows PHP Local. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

The ee-class from FormosaSoft does not properly validate a specific page parameter, allowing remote attackers with regular privileges to upload a malicious PHP file first and then exploit this. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

LFI RCE PHP +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ex-Themes WP Timeline - Vertical and Horizontal timeline plugin. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
EPSS 1% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in abcapp ABCApp Creator abcapp-creator.1.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
EPSS 1% CVSS 9.3
CRITICAL Act Now

The web service for ONS-S8 - Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass authentication, and execute. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI PHP Authentication Bypass
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpWax Product Carousel Slider & Grid Ultimate for WooCommerce. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress LFI +1
NVD VulDB
EPSS 3% CVSS 8.8
HIGH POC PATCH This Week

The Clean Login plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.14.5 via the 'template' attribute of the clean-login-register shortcode. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

PHP WordPress RCE +3
NVD
EPSS 72% CVSS 8.1
HIGH This Week

Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI RCE PHP +1
NVD
EPSS 1% CVSS 9.6
CRITICAL Act Now

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hamed Naderfar Compute Links allows PHP Remote File Inclusion.2.1. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI PHP Information Disclosure
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure WordPress +2
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.6.8.2 via the 'render_content_block_template' function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

PHP WordPress RCE +3
NVD
EPSS 1% CVSS 8.1
HIGH This Week

This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

LFI PHP Information Disclosure +2
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bastien Ho Event post event-post.9.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
EPSS 2% CVSS 6.5
MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme ShopBuilder - Elementor WooCommerce Builder Addons. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress LFI +1
NVD VulDB
EPSS 1% CVSS 4.9
MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in IdeaBox Creations PowerPack Lite for Beaver Builder. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Local File Inclusion vulnerability in LA-Studio LA-Studio Element Kit for Elementor via "LaStudioKit Progress Bar" widget in New Post, specifically in the "progress_type" attribute.3.8.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

LFI PHP Information Disclosure +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The WPCafe - Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.25. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress PHP +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP +4
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The WP Blog Post Layouts plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP +3
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The WP Magazine Modules Lite plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.2 via the 'blockLayout' parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

PHP LFI Information Disclosure +2
NVD
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

The Video Gallery - YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the display function. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP Information Disclosure RCE +3
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The Video Gallery - YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the settings parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress PHP RCE +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The tagDiv Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8 via the 'td_block_title' shortcode 'block_template_id' attribute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP RCE +3
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

The Where I Was, Where I Will Be plugin for WordPress is vulnerable to Remote File Inclusion in version <= 1.1.1 via the WIW_HEADER parameter of the /system/include/include_user.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP +2
NVD
EPSS 11% CVSS 9.8
CRITICAL PATCH Act Now

The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 11.5%.

LFI PHP WordPress +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

LFI RCE PHP +1
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Melapress MelaPress Login Security melapress-login-security.3.0. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
EPSS 18% CVSS 7.5
HIGH PATCH Act Now

The Qi Addons For Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.2 via the 'behavior' attributes found in the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Epss exploitation probability 18.1%.

PHP LFI Information Disclosure +4
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Easy Digital Downloads - Recent Purchases allows PHP Remote File. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI PHP Information Disclosure +1
NVD
EPSS 1% CVSS 8.1
HIGH POC This Week

Sourcecodester Gas Agency Management System v1.0 is vulnerable to arbitrary code execution via editClientImage.php. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

LFI RCE PHP +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

The Elements For Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.1 via the 'beforeafter_layout' attribute of the beforeafter widget, the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure RCE +2
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the plugin's 'content_block' shortcode. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

PHP Information Disclosure RCE +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The Responsive Owl Carousel for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.2.0 via the layout parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP LFI Information Disclosure +2
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Salient Core plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.7 via the 'nectar_icon' shortcode 'icon_linea' attribute. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

PHP Information Disclosure RCE +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Salient Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.3 via the 'icon' shortcode 'image' attribute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure RCE +2
NVD
EPSS 35% CVSS 8.1
HIGH Act Now

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in EverPress Mailster mailster.0.6. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 35.5% and no vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
EPSS 50% CVSS 8.3
HIGH Act Now

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Permalink Manager for WooCommerce. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 50.4% and no vendor patch available.

Information Disclosure WordPress LFI +1
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

The Penci Soledad Data Migrator plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.0 via the 'data' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Information Disclosure RCE +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The All-in-One Video Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.5 via the aiovg_search_form shortcode. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure RCE +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI PHP Information Disclosure +2
NVD
EPSS 1% CVSS 8.1
HIGH This Week

The XML Sitemap & Google News plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.8 via the 'feed' parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google WordPress PHP +3
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Porto Theme - Functionality plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.9 via the 'slideshow_type' post meta. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure RCE +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Porto Theme - Functionality plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.0 via the 'porto_portfolios' shortcode 'portfolio_layout'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure RCE +2
NVD
EPSS 6% CVSS 8.8
HIGH This Week

The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via 'porto_page_header_shortcode_type', 'slideshow_type' and 'post_layout' post meta. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP RCE +2
NVD
EPSS 56% CVSS 9.8
CRITICAL Emergency

The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts' function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 56.5% and no vendor patch available.

WordPress PHP RCE +2
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

CmsEasy v7.7.7.9 was discovered to contain a local file inclusion vunerability via the file_get_contents function in the fetch_action method of /admin/template_admin.php. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

LFI PHP Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

The Click to Chat - HoliThemes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.35. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure RCE +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The ElementsKit Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.0 via the Price Menu, Hotspot, and Advanced Toggle widgets. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure RCE +3
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.0 via the generate_navigation_markup function of the Onepage. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

WordPress PHP RCE +4
NVD
EPSS 31% CVSS 9.3
CRITICAL POC PATCH THREAT Act Now

A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

LFI PHP Path Traversal +1
NVD GitHub
EPSS 50% 4.9 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 49.6%.

WordPress PHP RCE +3
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Arbitrary file upload vulnerability in Sourcecodester Complete E-Commerce Site v1.0, allows remote attackers to execute arbitrary code via filename parameter in admin/products_photo.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

LFI RCE PHP +2
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

WordPress PHP RCE +4
NVD VulDB
EPSS 1% CVSS 7.2
HIGH PATCH This Week

The HUSKY - Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.5.2 via the 'type' parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

WordPress PHP RCE +3
NVD VulDB
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'modal' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP Information Disclosure RCE +3
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The Restaurant Reservations plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the nd_rst_layout attribute of the nd_rst_search shortcode. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

PHP Information Disclosure RCE +3
NVD
EPSS 62% 5.3 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The Shield Security - Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 61.9%.

LFI WordPress Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Remote file inclusion vulnerability in FireEye Central Management affecting version 9.1.1.956704. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

LFI PHP Information Disclosure +1
NVD
EPSS 64% CVSS 8.8
HIGH POC THREAT Act Now

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE LFI PHP +2
NVD GitHub
EPSS 43% 4.4 CVSS 8.1
HIGH POC PATCH THREAT Act Now

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnerable to Remote Code. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 43.2%.

PHP LFI RCE +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

The HTML filter and csv-file search plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.7 via the 'src' attribute of the 'csvsearch' shortcode. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

PHP Information Disclosure RCE +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

The Grid Plus plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.3.3 via a shortcode attribute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure RCE +3
NVD VulDB
EPSS 5% CVSS 9.9
CRITICAL POC Act Now

The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

LFI PHP WordPress +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

The Dropbox Folder Share for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.9.7 via the editor-view.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress PHP RCE +3
NVD VulDB
EPSS 1% CVSS 7.5
HIGH POC This Week

FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

LFI PHP Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI PHP Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM POC This Month

An issue was discovered in Geomatika IsiGeo Web 6.0. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

LFI PHP Information Disclosure +1
NVD GitHub
EPSS 87% 6.1 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 87.1%.

PHP RCE WordPress +2
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

LFI PHP Information Disclosure +1
NVD GitHub
EPSS 48% CVSS 8.8
HIGH PATCH Act Now

The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 48.2%.

Deserialization WordPress PHP +4
NVD VulDB
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

PHP Remote File Inclusion in GitHub repository unilogies/bumsys prior to 2.1.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

LFI PHP Information Disclosure +1
NVD GitHub
EPSS 5% CVSS 8.8
HIGH POC This Week

AgileBio Electronic Lab Notebook v4.234 was discovered to contain a local file inclusion vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

LFI PHP Information Disclosure +1
NVD Exploit-DB
EPSS 35% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

PHP Remote File Inclusion in GitHub repository flatpressblog/flatpress prior to 1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

LFI Information Disclosure PHP +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

PHP Remote File Inclusion in GitHub repository tsolucio/corebos prior to 8.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

LFI Information Disclosure PHP +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

An issue was discovered in Appalti & Contratti 9.12.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

LFI Information Disclosure PHP +1
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure PHP LFI +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

A remote file inclusion (RFI) vulnerability in Simple College Website v1.0 allows attackers to execute arbitrary code via a crafted PHP file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP LFI +1
NVD
EPSS 1% CVSS 4.7
MEDIUM This Month

A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI PHP Code Injection +1
NVD
EPSS 3% CVSS 7.2
HIGH POC PATCH This Week

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

LFI RCE PHP +2
NVD
EPSS 4% CVSS 9.8
CRITICAL POC Act Now

A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

LFI RCE PHP +1
NVD
EPSS 2% CVSS 7.5
HIGH This Week

The Management Interface of the Teradici Cloud Access Connector and Cloud Access Connector Legacy for releases prior to April 20, 2020 (v15 and earlier for Cloud Access Connector) contains a local. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP +2
NVD
Prev Page 13 of 14 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
1172

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy