Local File Inclusion
Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's `include()`, `require()`, or `fopen()`.
How It Works
Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's include(), require(), or fopen(). The attacker manipulates file path parameters—often using directory traversal sequences like ../ or absolute paths—to access files outside the intended directory. For example, a URL parameter ?page=dashboard might be vulnerable if changed to ?page=../../../../etc/passwd.
Modern LFI exploitation extends beyond simple file reading. Attackers leverage PHP wrappers like php://filter to apply encoding filters that bypass content restrictions. The php://filter/convert.base64-encode wrapper allows reading PHP source code without execution, exposing credentials and logic flaws. More sophisticated attacks chain multiple filters together to construct executable PHP code from seemingly harmless character transformations.
Log poisoning escalates LFI to remote code execution by injecting malicious PHP code into log files (access logs, error logs, email logs), then using the LFI vulnerability to include and execute those logs. Attackers can also abuse data wrappers (data://text/plain,<?php system($_GET['cmd']);?>) or expect:// protocol handlers depending on server configuration.
Impact
- Source code disclosure — exposing application logic, API keys, database credentials, and proprietary algorithms
- Configuration file access — reading database connection strings, encryption keys, cloud service credentials from config files
- Sensitive data extraction — accessing
/etc/passwd, SSH keys, user data files, session tokens - Remote code execution — through log poisoning, wrapper abuse, or including uploaded files containing malicious code
- Lateral movement preparation — gathering internal network details, service configurations, and authentication mechanisms
Real-World Examples
The osTicket CVE-2022-22200 vulnerability demonstrated advanced filter chain exploitation where attackers injected a PHP filter chain into a ticket's CSS style attribute. The malicious payload bypassed the htmLawed HTML sanitizer using strategic whitespace, then exploited mPDF's processing of php:// wrappers after URL-decoding. This allowed arbitrary file reading that escalated to RCE through chained filter operations.
phpMyAdmin has experienced multiple LFI vulnerabilities where attackers manipulated theme selection or language file parameters to include arbitrary files, often combining this with session file poisoning to achieve code execution. Content management systems like WordPress plugins frequently expose LFI through template loading mechanisms where developers fail to validate file path inputs properly.
Mitigation
- Eliminate dynamic file inclusion — use routing tables or switch statements mapping IDs to hardcoded file paths instead of concatenating user input
- Strict allowlisting — maintain explicit arrays of permitted files; validate user input against this list, never use input directly in paths
- Disable dangerous PHP wrappers — set
allow_url_include=0andallow_url_fopen=0in php.ini; disableexpect://,phar://, anddata://wrappers - Implement path canonicalization — resolve paths with
realpath(), verify they remain within allowed directories usingstrpos()checks - Apply least privilege — run web applications with minimal file system permissions, preventing access to sensitive system files
- Input validation — reject any input containing
../, absolute paths, null bytes, or protocol specifiers
Recent CVEs (1172)
Unauthenticated Local File Inclusion in the WineShop WordPress theme versions 3.17 and earlier allows remote attackers to include and execute arbitrary local files on the server via crafted requests. The flaw stems from improper control of filename for include/require (CWE-98) and carries a CVSS 8.1 (High) with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis.
Unauthenticated local file inclusion in the ThemeRex Grecko WordPress theme versions 5.17 and earlier allows remote attackers to coerce the application into including arbitrary files from the server filesystem, potentially leading to sensitive file disclosure and PHP code execution where attacker-controlled content can be reached. The flaw is reachable without authentication over HTTP and was disclosed via Patchstack with no public exploit identified at time of analysis. CVSS is rated 8.1 with high attack complexity, indicating exploitation is feasible but not trivially automatable.
Unauthenticated local file inclusion in the ThemeRex Gita WordPress theme versions 1.11 and earlier allows remote attackers to include arbitrary local files via a PHP file-inclusion weakness (CWE-98), potentially exposing wp-config.php credentials and enabling further compromise. No public exploit identified at time of analysis, but the vulnerability is network-reachable without authentication and has been disclosed by Patchstack with a CVSS 3.1 base score of 8.1.
Unauthenticated local file inclusion in the Printo WordPress theme (versions ≤ 1.11 by ThemeRex) allows remote attackers to include arbitrary local files via a PHP file-inclusion sink (CWE-98), enabling disclosure of sensitive server-side files and potential remote code execution if attacker-controlled content can be reached on disk. No public exploit identified at time of analysis, though Patchstack has cataloged the issue and the CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability.
Unauthenticated local file inclusion in the Medeus WordPress theme versions 1.14 and earlier allows remote attackers to coerce the PHP backend into including arbitrary files, exposing sensitive configuration data such as wp-config.php and potentially enabling code execution if log poisoning or uploaded content can be referenced. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require), affects a ThemeREX product tracked by Patchstack as a WordPress theme issue, and no public exploit identified at time of analysis. Despite the CVSS 8.1 high rating, AC:H signals non-trivial exploitation requirements beyond a simple parameter swap.
Unauthenticated local file inclusion in the ThemeRex Top Dog WordPress theme (versions <=1.0.5) allows remote attackers to coerce the application into including arbitrary local PHP files, potentially leading to sensitive data disclosure or code execution if a writable/loggable file can be referenced. The flaw is reachable without authentication or user interaction over the network, though CVSS marks attack complexity as high; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeREX Putter WordPress theme versions 1.17 and earlier allows remote attackers to read arbitrary files from the underlying web server and, in PHP environments where include wrappers are abused, potentially achieve code execution. The flaw is reachable without authentication or user interaction, though CVSS reports high attack complexity. No public exploit identified at time of analysis, but Patchstack has published the advisory.
Unauthenticated local file inclusion in the ThemeREX 'Dom' WordPress theme through version 1.24 allows remote attackers to coerce the PHP application into including arbitrary local files, leading to sensitive information disclosure and potential code execution. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high impact across confidentiality, integrity, and availability if a vulnerable include path is reached. The flaw is tracked by Patchstack and ENISA (EUVD-2025-210210) and affects all Dom theme versions up to and including 1.24.
Unauthenticated Local File Inclusion affects the ThemeREX Mission WordPress theme in all versions up to and including 1.22, enabling remote attackers to coerce the PHP application into including arbitrary local files. Exploitation can lead to sensitive file disclosure, source-code exposure, and - depending on what files are accessible on the server - remote code execution via log poisoning or PHP wrapper abuse. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the Abelle WordPress theme versions 1.22 and earlier allows remote attackers to coerce the PHP runtime into including attacker-controlled file paths, leading to disclosure of sensitive server files and potential remote code execution if log poisoning or uploaded files can be reached. The flaw is reachable without credentials, but CVSS notes high attack complexity, and no public exploit identified at time of analysis. No EPSS or KEV signal is provided in the source data.
Unauthenticated Local File Inclusion in the Kelly Young WordPress theme (versions ≤1.1.0) allows remote attackers to read arbitrary local files and potentially achieve code execution by including attacker-controlled file paths via a vulnerable PHP include sink. The flaw is reachable without authentication over the network, and no public exploit identified at time of analysis. Risk is elevated by the high CVSS impact triad (C:H/I:H/A:H), though AC:H indicates non-trivial exploitation prerequisites.
Local File Inclusion in the Wanium WordPress theme (versions up to and including 1.9.8) allows remote unauthenticated attackers to coerce the application into including arbitrary local PHP files, leading to source disclosure and potential remote code execution on the server. The flaw was disclosed via Patchstack and tracked as EUVD-2025-210204; no public exploit identified at time of analysis, and the CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable exploitation that nevertheless requires some non-trivial conditions to succeed.
Unauthenticated local file inclusion in the Food Drop WordPress theme versions 1.3 and earlier allows remote attackers to read arbitrary server files or potentially achieve PHP code execution by abusing an improperly controlled include/require path (CWE-98). The flaw was disclosed by Patchstack and tracked as EUVD-2025-210202; no public exploit code or active exploitation has been identified at time of analysis, but the network-reachable, no-auth attack surface makes it a meaningful risk for any site running this theme.
Unauthenticated Local File Inclusion in the ThemeRex Especio WordPress theme (versions ≤ 1.0) allows remote attackers to coerce the PHP application into including arbitrary files from the underlying server. Because the include path is attacker-controlled and no authentication is required, the flaw can lead to disclosure of sensitive files (wp-config.php, system files) and, depending on local file primitives available on the server, escalation to code execution. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeRex Deliciosa WordPress theme (versions up to and including 1.10.0) allows remote attackers to coerce the PHP application into including arbitrary local files, potentially leading to sensitive file disclosure and code execution. The flaw is reachable without authentication but carries high attack complexity per the CVSS vector, and no public exploit identified at time of analysis. Patchstack disclosed the issue and tracks it as EUVD-2025-210199.
Unauthenticated local file inclusion in the Corbesier WordPress theme (versions ≤ 1.15.0) allows remote attackers to read arbitrary server files or potentially execute code by abusing improper validation of file paths passed to PHP include/require functions. The flaw is reachable without credentials and carries a CVSS 3.1 score of 8.1; no public exploit identified at time of analysis, and it is not listed in CISA KEV. The combination of network reachability and unauthenticated access makes any vulnerable WordPress site running this theme an immediate concern despite the high attack complexity rating.
Unauthenticated local file inclusion in the CopyPress WordPress theme (ThemeREX) through version 1.4.5 lets remote attackers coerce the PHP include/require chain into loading arbitrary server-side files without credentials. Patchstack catalogued the flaw as CWE-98 with CVSS 8.1, and no public exploit identified at time of analysis. Successful exploitation can expose sensitive files such as wp-config.php and, depending on the include sink, escalate to PHP code execution.
Unauthenticated Local File Inclusion in the Iona WordPress theme versions 1.0.8 and earlier allows remote attackers to coerce the PHP application into including arbitrary local files, enabling source code disclosure and potentially full remote code execution. Reported by Patchstack and tracked as EUVD-2025-210196, the flaw is rated CVSS 8.1 (High) despite high attack complexity, with no public exploit identified at time of analysis.
Unauthenticated local file inclusion in the ThemeREX MaxiNet WordPress theme through version 1.2.10 allows remote attackers to coerce the PHP application into including arbitrary local files, exposing sensitive configuration data such as wp-config.php and potentially enabling code execution if log poisoning or uploaded content can be reached. The flaw was disclosed via Patchstack and tracked as EUVD-2025-210195; no public exploit identified at time of analysis, and no CISA KEV listing exists.
Unauthenticated local file inclusion in the ThemeREX Nexio WordPress theme (versions ≤ 1.10.0) allows remote attackers to coerce the PHP application into including arbitrary local files, enabling disclosure of sensitive server content and potentially remote code execution if attacker-controlled content can be staged on the host. The CWE-98 classification and PHP tag indicate a classic dynamic include/require sink reachable without authentication. At time of analysis there is no public exploit identified and no CISA KEV listing, but the unauthenticated network vector and high CVSS (8.1) warrant prompt action on any WordPress site running this theme.
Unauthenticated local file inclusion in the Planty WordPress theme versions 1.14.0 and earlier allows remote attackers to coerce the PHP application into including arbitrary files from the server filesystem, leading to disclosure of sensitive configuration data and potential code execution. The flaw is reachable without credentials over the network but rated AC:H, indicating exploitation requires meeting specific conditions; no public exploit identified at time of analysis and the issue is tracked by Patchstack and ENISA EUVD-2025-210193.
Local File Inclusion in the ThemeREX Raider Spirit WordPress theme versions 1.1.2 and earlier allows unauthenticated remote attackers to include and disclose arbitrary local files via attacker-controlled file paths reaching a PHP include/require sink. The flaw maps to CWE-98 (Improper Control of Filename for Include/Require) and was disclosed through Patchstack with no public exploit identified at time of analysis, though the CVSS 8.1 rating reflects high confidentiality, integrity, and availability impact if the inclusion can be steered to executable PHP content.
Unauthenticated remote local file inclusion in the Rosaleen WordPress theme versions 2.8 and earlier allows attackers to coerce the PHP application into including arbitrary files via a CWE-98 remote file inclusion/path traversal flaw. The issue was reported by Patchstack and affects the ThemeREX-developed Rosaleen theme; no public exploit identified at time of analysis, though the unauthenticated network vector makes opportunistic targeting plausible.
Unauthenticated Local File Inclusion in the ThemeREX Modernee WordPress theme (versions through 1.6.0) allows remote attackers to coerce the server into including arbitrary local PHP files, enabling information disclosure and potential code execution via log poisoning or session file abuse. Reported by Patchstack and tracked as EUVD-2025-210189, no public exploit identified at time of analysis and the vulnerability is not in CISA KEV. The CVSS 8.1 score reflects high impact across confidentiality, integrity, and availability but with high attack complexity.
Unauthenticated Local File Inclusion in the Learnify WordPress theme (versions up to and including 1.15.0) allows remote attackers to read arbitrary files from the underlying server without credentials. Patchstack catalogued the issue as a PHP file inclusion flaw (CWE-98) and no public exploit was identified at time of analysis, though the WordPress theme ecosystem makes targeted scanning likely. The CVSS 3.1 score of 8.1 reflects high impact across confidentiality, integrity, and availability, tempered by high attack complexity.
Unauthenticated local file inclusion in the ThemeRex Geya WordPress theme (versions up to and including 1.15) allows remote attackers to read or include arbitrary files on the server, leading to information disclosure and potential code execution via PHP file inclusion. Reported by Patchstack with no public exploit identified at time of analysis and no CISA KEV listing, though the high CVSS (8.1) reflects severe confidentiality, integrity and availability impact if the vulnerable path is reached.
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a path traversal flaw in the plugin import routine with file upload functionality to run arbitrary PHP as the web server user. Publicly available exploit code exists (published by Karma Insecurity / VulnCheck) demonstrating a race-condition-assisted bypass of sanitization, but the issue is not listed in CISA KEV and no public EPSS signal was provided. The high PR:H requirement limits attackers to those already holding administrator credentials or able to obtain them.
WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Local File Inclusion in the Recover Exit For WooCommerce WordPress plugin (versions up to and including 1.0.3) allows remote unauthenticated attackers to include arbitrary local PHP files via the unsanitized `tpf` POST parameter passed to `include()` in the `recover_exit()` function. Successful exploitation can disclose sensitive files such as `wp-config.php` and, when combined with file upload primitives or log poisoning, escalate to remote code execution. No public exploit identified at time of analysis, though the vulnerable sink is documented in the plugin source on plugins.trac.wordpress.org.
Local File Inclusion in Select-Themes WaveRide WordPress theme versions up to and including 1.4 allows remote attackers to coerce the application into including arbitrary local PHP files via improper validation of a filename used in an include/require statement. The flaw is rated CVSS 8.1 (high) with network attack vector and no authentication required, though high attack complexity tempers exploitability; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local File Inclusion in Code Supply Co. Blueprint WordPress theme versions prior to 1.1.5 allows remote unauthenticated attackers to include arbitrary local PHP files through improper filename validation in include/require statements. CVSS rates the issue 8.1 (High) with high attack complexity, and no public exploit has been identified at time of analysis. Despite the CWE-98 classification suggesting Remote File Inclusion, the vendor advisory explicitly scopes the impact to Local File Inclusion.
Local File Inclusion in Axiomthemes Racquet WordPress theme (versions through 1.12.0) allows remote unauthenticated attackers to include arbitrary local PHP files via improperly validated filename input, leading to information disclosure and potential code execution. The flaw is classified as CWE-98 (PHP Remote File Inclusion) with a CVSS 8.1 (High) rating, though high attack complexity (AC:H) tempers its real-world exploitability. No public exploit identified at time of analysis, and the issue was reported through the Patchstack research program.
Local File Inclusion in androThemes Cookiteer WordPress theme versions up to and including 1.4.8 allows remote unauthenticated attackers to include and execute arbitrary local PHP files on the underlying server. The flaw is classified as PHP Remote File Inclusion (CWE-98) but the practical impact described is LFI, which can lead to sensitive information disclosure and potential code execution through log poisoning or session file abuse. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Local File Inclusion in Axiomthemes Fermentio WordPress theme through version 1.5.0 allows remote unauthenticated attackers to include arbitrary local files via improperly controlled filename parameters in PHP include/require statements. The flaw is tracked under CWE-98 (PHP Remote File Inclusion) but per the description is exploitable as LFI, with no public exploit identified at time of analysis and high attack complexity reflected in the CVSS vector.
Local File Inclusion in the Axiomthemes Spin WordPress theme (versions up to and including 1.8) allows remote attackers to coerce the PHP runtime into including arbitrary local files via an unsanitized filename parameter passed to an include/require statement. Successful exploitation can disclose sensitive configuration data (such as wp-config.php) and, depending on server configuration, escalate into remote code execution by including attacker-controlled content. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Local file inclusion in the Axiomthemes Crafti WordPress theme (versions up to and including 1.12) allows remote unauthenticated attackers to coerce the PHP runtime into including arbitrary local files through improperly validated include/require parameters. Successful exploitation can lead to disclosure of sensitive server-side files, configuration data, and under certain conditions code execution via included content. No public exploit identified at time of analysis, but the issue is catalogued by Patchstack in their WordPress vulnerability database.
Local file inclusion in the UnboundStudio Accordion FAQ WordPress plugin (versions up to and including 2.2.1) allows authenticated remote attackers to include and execute arbitrary PHP files from the server filesystem via improperly controlled include/require statements. The flaw, reported by Patchstack and tagged as LFI/Information Disclosure, can lead to full compromise of the WordPress instance through disclosure of sensitive configuration data (e.g., wp-config.php) and potential code execution if attacker-controlled files are reachable. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local File Inclusion in Axiomthemes Confidant WordPress theme (versions up to and including 1.4) allows remote unauthenticated attackers to include arbitrary local PHP files on the server, potentially leading to sensitive information disclosure and code execution. The vulnerability is reported by Patchstack with a CVSS 8.1 (High) rating; no public exploit identified at time of analysis and the CVE is not present in CISA KEV. The high attack complexity (AC:H) suggests exploitation requires specific conditions to be met, despite the network-reachable, no-auth attack surface.
Local file inclusion in FreePBX versions prior to 16.0.22 and 17.0.5 allows authenticated remote attackers to include arbitrary .class.php files from the filesystem via path traversal in the Dashboard module's getcontent AJAX handler. The unsanitized $_REQUEST['rawname'] parameter is concatenated into a PHP include() call, and any included file's top-level code executes before the subsequent class instantiation fails. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but CWE-98 PHP file inclusion bugs are historically high-value targets in PBX systems exposed to the internet.
Remote code execution in Responsive FileManager 9.14.0 enables authenticated attackers to run arbitrary code on the underlying server by abusing the force_download.php component. The CWE-98 classification points to improper control of PHP file inclusion, and while no public exploit is identified at time of analysis, the high CVSS of 8.0 reflects full confidentiality, integrity, and availability impact once a target user interacts with the attacker-supplied input.
Local File Inclusion in the SeedProd Pro WordPress plugin (all versions before 6.19.5) lets an authenticated, low-privileged user coerce a PHP include/require statement into loading attacker-influenced local files, leading to disclosure of sensitive server-side files and potential code execution if a controllable file (e.g. an uploaded payload or log) can be included. The flaw, reported by Patchstack and classified CWE-98, carries a CVSS 3.1 base score of 7.5 with high attack complexity. There is no public exploit identified at time of analysis, and CISA SSVC rates exploitation as 'none', indicating this is currently a patch-and-move-on item rather than an emergency.
Local File Inclusion in the Query Shortcode plugin for WordPress (all versions through 0.2.1) lets authenticated users with contributor-level access or higher coerce the shortcode handler into including and executing arbitrary .php files already present on the server. Because included files are run by the PHP interpreter, this can leak sensitive data, bypass access controls, and escalate to full remote code execution where an attacker can also place a .php file (e.g. via an upload feature). EPSS rates near-term exploitation probability very low (0.07%, 21st percentile) and there is no public exploit identified at time of analysis.
Unauthenticated information disclosure in Check Point Quantum Security Gateway allows remote attackers to read internal files on the appliance when the Identity Awareness blade is configured with Browser-Based Authentication. The flaw maps to CWE-98 (PHP file inclusion) and carries a CVSS 7.5 with confidentiality-only impact; EPSS is low (0.10%) and there is no public exploit identified at time of analysis, but the unauthenticated network reach against a perimeter gateway makes triage urgent for affected deployments.
Local File Inclusion in Magentech SW Core WordPress plugin (versions through 1.7.18) allows authenticated remote attackers to coerce the application into including arbitrary PHP files via improperly validated filename input. Successful exploitation results in disclosure of sensitive server-side files and potential code execution under the web server context. No public exploit has been identified at time of analysis, and EPSS exploitation probability is low at 0.11%.
A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to execute arbitrary system commands and read local files without user interaction by exploiting an embedded Internet Explorer 11 browser.
Authenticated remote code execution in Concrete CMS 9.5.0 and earlier allows an administrator with composer form editing privileges to chain a path traversal flaw in the ptComposerFormLayoutSetControlCustomTemplate field with the platform's permissive file uploader to execute arbitrary PHP on the server. The vendor scored this 9.4 (CVSS v4.0) reflecting high confidentiality, integrity, and availability impact across both the vulnerable component and downstream subsequent systems. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Local File Inclusion in the Advanced Database Cleaner - Premium WordPress plugin (versions up to and including 4.1.0) allows Subscriber-level authenticated users to include and execute arbitrary .php files via the 'template' parameter. The flaw, reported by Wordfence, carries a CVSS score of 8.8 and can be escalated to full remote code execution when combined with a file upload primitive, while no public exploit identified at time of analysis.
WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting null bytes into the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Local File Inclusion vulnerability in RTMKit Addons for Elementor plugin versions up to 2.0.2 allows authenticated attackers with Author-level privileges to include and execute arbitrary PHP files via the 'path' parameter in the 'get_content' AJAX action, enabling remote code execution. The vulnerability requires low-privilege WordPress account access (Author role or higher) and has a CVSS score of 8.8, indicating high impact across confidentiality, integrity, and availability. EPSS data not available, but exploitation requires specific WordPress role assignment, limiting attack surface to sites where untrusted users have Author-level access. No active exploitation confirmed by CISA KEV at time of analysis.
WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Local file inclusion in Gibbon school management system versions prior to v30.0.01 enables remote code execution when authenticated users with Teacher or higher privileges manipulate the report archive directory setting to force interpretation of a malicious ZIP file as PHP code. The vulnerability compromises the underlying web server. Project Black Security Services disclosed this flaw with a detailed proof-of-concept, and the vendor released patch v30.0.01 marking it as low severity since it requires administrative access. EPSS data not available, but the high CVSS 8.9 score reflects the critical post-compromise impact despite the high privilege requirement.
Authenticated customers can achieve remote code execution in Froxlor server administration software versions prior to 2.3.6 through path traversal in the API's language parameter. By injecting malicious path traversal sequences into the `def_language` field via the `Customers.update` or `Admins.update` API endpoints, authenticated users can force the application to execute arbitrary PHP code as the web server user on subsequent requests. This vulnerability carries a CVSS score of 9.9 with scope change, indicating potential for full system compromise beyond the vulnerable component. Vendor-released patch version 2.3.6 addresses the vulnerability by implementing proper validation of language parameters against available language files.
Local file inclusion in Livemesh Addons for Elementor (WordPress plugin) ≤9.0 allows authenticated attackers with Contributor-level privileges to include and execute arbitrary PHP files via recursive directory traversal bypass in widget template parameters. The vulnerability requires Elementor plugin installation and either admin interaction (social engineering) or direct Contributor access. CVSS 8.8 reflects high impact (RCE potential) but limited by authentication requirement. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists (Wordfence disclosure with technical details and code references).
Local File Inclusion in BoidCMS versions prior to 2.1.3 enables authenticated administrators to execute arbitrary PHP code via path traversal in the tpl parameter combined with file upload. The vulnerability chains unsanitized require_once() inclusion with media upload functionality, allowing attackers to upload malicious files and force their execution with web server privileges. Vendor-released patch available in version 2.1.3. CVSS 7.2 reflects high-privilege requirement (administrator access), but exploitation complexity is low once authenticated. No CISA KEV listing or public exploit code identified at time of analysis.
A Local File Inclusion (LFI) vulnerability in the NFSen module (nfsen.inc.php) of LibreNMS 22.11.0-23-gd091788f2 allows authenticated attackers to include arbitrary PHP files from the server filesystem via path traversal sequences in the nfsen parameter.
Local file inclusion in CactusThemes VideoPro WordPress theme through version 2.3.8.1 allows unauthenticated remote attackers to read arbitrary files on the server via improper filename control in PHP include/require statements. Exploitation requires high attack complexity but no user interaction. EPSS score indicates low observed exploitation activity; no public exploit identified at time of analysis.
Local file inclusion in Case Themes Case Theme User WordPress plugin (versions prior to 1.0.4) enables unauthenticated remote attackers to include arbitrary local files via PHP require/include statements. Successful exploitation requires high attack complexity and user interaction, but grants full compromise of confidentiality, integrity, and availability. Attackers may read sensitive configuration files, execute malicious code if file upload exists, or escalate to remote code execution through log poisoning techniques. No public exploit identified at time of analysis.
Local file inclusion in UnTheme OrganicFood WordPress theme versions up to 3.6.4 enables authenticated attackers with low privileges to read arbitrary files on the server and potentially achieve remote code execution. Exploitation requires network access and high attack complexity (CVSS AC:H), allowing disclosure of sensitive configuration data, credentials, and system files. Authenticated access (PR:L) is required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.05%).
Local File Inclusion in ApusTheme Homeo WordPress theme versions ≤1.2.59 allows authenticated attackers with low privileges to read arbitrary files on the server via improper file inclusion controls. The vulnerability stems from insufficient validation of file paths in PHP include/require statements, enabling access to sensitive configuration files, credentials, or other restricted content. EPSS score of 0.05% (17th percentile) indicates low predicted exploitation probability, and no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.
Local File Inclusion in ApusTheme Freeio WordPress theme (versions ≤1.3.21) allows authenticated attackers with low privileges to read arbitrary files on the server via PHP file inclusion flaws. Attack complexity is high (AC:H), requiring specific conditions beyond basic authentication. EPSS probability is low (0.05%, 17th percentile) with no confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.
Local File Inclusion in Emphires WordPress theme versions ≤3.9 allows authenticated attackers with low privileges to read arbitrary files from the server file system via improper PHP file inclusion controls. Attack complexity is rated high (AC:H), suggesting specific conditions must be met. EPSS exploitation probability is low (0.05%, 17th percentile) with no public exploit identified at time of analysis. Authenticated access requirement and high complexity reduce immediate risk despite CVSS 7.5 rating.
Local file inclusion vulnerability in kutethemes Biolife WordPress theme versions up to 3.2.3 enables authenticated attackers with low privileges to include and execute arbitrary PHP files from the server filesystem via improper filename control in include/require statements. Exploitation requires network access and high complexity conditions (CVSS:3.1 AV:N/AC:H/PR:L), potentially leading to information disclosure, code execution, and full system compromise. No public exploit identified at time of analysis. EPSS score indicates low observed exploitation activity (0.05%).
Local file inclusion in kutethemes Boutique WordPress theme versions ≤2.3.3 allows authenticated attackers with low privileges to include arbitrary PHP files, leading to high-severity impacts including information disclosure, code execution, and system compromise. Exploitation requires network access with high attack complexity. No public exploit identified at time of analysis. Authenticated attack vector (PR:L) limits exposure to users with existing credentials.
Local File Inclusion vulnerability in KuteShop WordPress theme versions ≤4.2.9 enables authenticated attackers with low privileges to include arbitrary PHP files through improper filename control in require/include statements. Exploitation requires high attack complexity and yields complete confidentiality, integrity, and availability compromise within the application context. No public exploit identified at time of analysis. EPSS 0.05% indicates low observed exploitation activity.
Local file inclusion in themeStek LabtechCO WordPress theme versions through 8.3 allows authenticated attackers with low privileges to read arbitrary files from the web server. Despite the CWE classification mentioning remote file inclusion, available data (tags, Patchstack categorization) confirms this is a local file inclusion vulnerability. EPSS score of 0.05% (17th percentile) indicates low observed exploitation probability in the wild, with no confirmed active exploitation (not in CISA KEV)
Local File Inclusion in Mikado Core WordPress plugin (≤1.6) allows authenticated remote attackers to read arbitrary files on the server via improper filename control in PHP include/require statements. Despite a 7.5 CVSS score, real-world risk is limited by low-privilege authentication requirement (PR:L) and high attack complexity (AC:H). EPSS exploitation probability is minimal (0.05%, 17th percentile), with no public exploit identified at time of analysis. Reported by Patchstack, this CWE-98 vulnerability enables information disclosure and potential code execution if attackers chain it with file upload or log poisoning techniques.
Local file inclusion in Emlog admin/plugin.php allows authenticated attackers to execute arbitrary PHP code via unsanitized $plugin parameter in GET requests, provided CSRF token validation can be bypassed. Emlog versions 2.6.2 and prior are affected. An authenticated attacker with high privileges can include arbitrary files from the server filesystem, achieving remote code execution without requiring user interaction. No public exploit code or active exploitation has been confirmed at time of analysis.
HeidiSQL 9.5.0.5196 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long file path in the logging preferences. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Dolibarr Core versions up to 22.0.4 allow authenticated users with minimal privileges to read arbitrary non-PHP files from the server via a Local File Inclusion vulnerability in /core/ajax/selectobject.php. The flaw stems from dynamic file inclusion occurring before authorization checks and a fail-open logic in the access control function, enabling exfiltration of sensitive configuration files, environment variables, and logs. Publicly available exploit code exists, and a vendor patch has been released.
A Local File Inclusion (LFI) vulnerability exists in the nK Visual Portfolio, Photo Gallery & Post Grid WordPress plugin through version 3.5.1, allowing attackers to include and execute arbitrary local files on the server via improper control of filename parameters in PHP include/require statements. An attacker with network access can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other local files stored on the web server. While CVSS and EPSS scores are not publicly available, the vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require) and affects all installations of this plugin running version 3.5.1 or earlier.
A Local File Inclusion (LFI) vulnerability exists in Gavias Kunco WordPress theme versions prior to 1.4.5, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. This vulnerability enables information disclosure attacks where sensitive files such as configuration files, source code, or system files could be exposed to unauthenticated or low-privileged attackers. No CVSS score or EPSS data is currently available, but the vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement), a critical class of PHP-based remote/local file inclusion flaws.
A Local File Inclusion (LFI) vulnerability exists in the CreativeWS Kiddy WordPress theme through version 2.0.8, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. An attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other locally stored data without requiring authentication or special privileges. While no CVSS score or EPSS data is currently available, the vulnerability is actively tracked by multiple security intelligence sources including Patchstack and ENISA, indicating confirmed exploitability.
A Local File Inclusion (LFI) vulnerability exists in CreativeWS VintWood WordPress theme versions up to and including 1.1.8, stemming from improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential information. No CVSS score, EPSS data, or KEV status is currently available, but the issue is documented across multiple security intelligence sources including Patchstack and ENISA.
A Local File Inclusion (LFI) vulnerability exists in CreativeWS Trendustry WordPress theme versions up to 1.1.4, allowing attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. This vulnerability can lead to information disclosure by allowing attackers to read sensitive files on the server without requiring authentication or special privileges. While no CVSS or EPSS scores are currently published, the LFI classification and information disclosure impact indicate this represents a significant security risk for affected installations.
A Local File Inclusion (LFI) vulnerability exists in CreativeWS MetaMax theme versions up to and including 1.1.4, allowing attackers to include and execute arbitrary local files through improper handling of PHP include/require statements. An unauthenticated remote attacker can exploit this to disclose sensitive files, read configuration data containing credentials, or potentially achieve remote code execution by including files with executable content. While no CVSS score or EPSS data is currently available, the vulnerability has been confirmed and documented by Patchstack with a direct reference to the affected WordPress theme.
A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Rosebud WordPress theme through version 1.4, allowing attackers to include and execute arbitrary local files on the server via improper control of filename parameters in PHP include/require statements. This vulnerability enables information disclosure and potential remote code execution by reading sensitive files or including PHP files from the web root. No active exploitation in the wild has been publicly confirmed, but the vulnerability affects all installations of Rosebud up to and including version 1.4.
A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Deston WordPress theme through version 1.0, allowing attackers to read arbitrary files from the server filesystem via improper control of filename parameters in PHP include/require statements. This vulnerability, classified as CWE-98 (PHP Remote File Inclusion), enables information disclosure attacks where sensitive files such as configuration files, database credentials, or source code could be exposed. The vulnerability affects all versions of Deston up to and including 1.0, and has been documented by Patchstack with an EUVD ID (EUVD-2026-15787), though CVSS scoring and KEV status are not yet available.
A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Amfissa WordPress theme through version 1.1, allowing attackers to improperly control filenames in PHP include/require statements. This vulnerability enables unauthorized information disclosure by reading arbitrary local files from the affected server. The issue stems from improper input validation on file inclusion parameters and affects all versions of Amfissa up to and including version 1.1.
A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Emaurri WordPress theme through version 1.0.1, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling information disclosure and potential remote code execution depending on file access and PHP configuration. While CVSS and EPSS scores are not available, the attack vector appears to be network-based with low complexity, and the vulnerability has been documented by Patchstack but exploitation status and proof-of-concept availability require verification from primary sources.
A Local File Inclusion (LFI) vulnerability exists in Mikado-Themes' MultiOffice WordPress theme versions up to and including 1.2, stemming from improper control of filenames in PHP include/require statements. An attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, database credentials, or other confidential information. No CVSS score, EPSS data, or active exploitation (KEV) status has been assigned to this vulnerability.
A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes LuxeDrive WordPress theme (version 1.0 and earlier) that allows attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other system files without requiring special privileges or user interaction. While no CVSS score or EPSS data is currently available, the vulnerability class (CWE-98: Improper Control of Filename for Include/Require Statement) indicates a high-severity condition with straightforward exploitation mechanics.
Quick Facts
- Typical Severity
- HIGH
- Category
- web
- Total CVEs
- 1172