Skip to main content

Local File Inclusion

web HIGH

Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's `include()`, `require()`, or `fopen()`.

How It Works

Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's include(), require(), or fopen(). The attacker manipulates file path parameters—often using directory traversal sequences like ../ or absolute paths—to access files outside the intended directory. For example, a URL parameter ?page=dashboard might be vulnerable if changed to ?page=../../../../etc/passwd.

Modern LFI exploitation extends beyond simple file reading. Attackers leverage PHP wrappers like php://filter to apply encoding filters that bypass content restrictions. The php://filter/convert.base64-encode wrapper allows reading PHP source code without execution, exposing credentials and logic flaws. More sophisticated attacks chain multiple filters together to construct executable PHP code from seemingly harmless character transformations.

Log poisoning escalates LFI to remote code execution by injecting malicious PHP code into log files (access logs, error logs, email logs), then using the LFI vulnerability to include and execute those logs. Attackers can also abuse data wrappers (data://text/plain,<?php system($_GET['cmd']);?>) or expect:// protocol handlers depending on server configuration.

Impact

  • Source code disclosure — exposing application logic, API keys, database credentials, and proprietary algorithms
  • Configuration file access — reading database connection strings, encryption keys, cloud service credentials from config files
  • Sensitive data extraction — accessing /etc/passwd, SSH keys, user data files, session tokens
  • Remote code execution — through log poisoning, wrapper abuse, or including uploaded files containing malicious code
  • Lateral movement preparation — gathering internal network details, service configurations, and authentication mechanisms

Real-World Examples

The osTicket CVE-2022-22200 vulnerability demonstrated advanced filter chain exploitation where attackers injected a PHP filter chain into a ticket's CSS style attribute. The malicious payload bypassed the htmLawed HTML sanitizer using strategic whitespace, then exploited mPDF's processing of php:// wrappers after URL-decoding. This allowed arbitrary file reading that escalated to RCE through chained filter operations.

phpMyAdmin has experienced multiple LFI vulnerabilities where attackers manipulated theme selection or language file parameters to include arbitrary files, often combining this with session file poisoning to achieve code execution. Content management systems like WordPress plugins frequently expose LFI through template loading mechanisms where developers fail to validate file path inputs properly.

Mitigation

  • Eliminate dynamic file inclusion — use routing tables or switch statements mapping IDs to hardcoded file paths instead of concatenating user input
  • Strict allowlisting — maintain explicit arrays of permitted files; validate user input against this list, never use input directly in paths
  • Disable dangerous PHP wrappers — set allow_url_include=0 and allow_url_fopen=0 in php.ini; disable expect://, phar://, and data:// wrappers
  • Implement path canonicalization — resolve paths with realpath(), verify they remain within allowed directories using strpos() checks
  • Apply least privilege — run web applications with minimal file system permissions, preventing access to sensitive system files
  • Input validation — reject any input containing ../, absolute paths, null bytes, or protocol specifiers

Recent CVEs (1172)

EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Belfort WordPress theme version 1.0 and earlier, allowing attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. While classified as a Remote File Inclusion vulnerability in the CVE description, the actual impact is Local File Inclusion, enabling information disclosure through the reading of sensitive files such as configuration files, database credentials, and source code. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability's nature suggests moderate to high real-world risk given the prevalence of WordPress themes and the ease of exploitation.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in Elated-Themes' The Aisle Core WordPress plugin through version 2.0.5, stemming from improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential information. No CVSS score, EPSS data, or active KEV status is currently available, but the vulnerability has been publicly documented by Patchstack and assigned EUVD-2026-15765.

PHP LFI Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in Mikado-Themes Curly Core plugin for WordPress through version 2.1.6, allowing improper control of filenames in PHP include/require statements. Attackers can exploit this to read arbitrary local files from the affected server, potentially disclosing sensitive configuration files, database credentials, and other confidential data. No CVSS score or EPSS data is currently available, and KEV/active exploitation status is unknown, but the vulnerability has been documented by Patchstack with a public reference URL.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in TieLabs Jannah WordPress theme through version 7.6.3, stemming from improper control of filename parameters in PHP include/require statements. An attacker can exploit this vulnerability to read arbitrary local files from the affected server, potentially disclosing sensitive configuration files, credentials, or source code. No CVSS score, EPSS data, or active KEV listing is currently available, but the LFI classification and information disclosure impact indicate moderate to high real-world risk depending on server configuration and file permissions.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

The Select-Themes Moments WordPress theme versions 2.2 and earlier contain a Local File Inclusion (LFI) vulnerability that allows attackers to improperly control filename parameters in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, source code, or other confidential information. While no CVSS score or EPSS data is currently available and no active KEV listing is confirmed, the vulnerability is catalogued by Patchstack and has been assigned EUVD-2026-15740, indicating documented exploitation potential.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Select-Themes Mixtape WordPress theme through version 2.1, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling information disclosure and potential remote code execution depending on file accessibility. While no CVSS score or EPSS data is currently available, the LFI classification and PHP nature of the vulnerability indicate moderate to high exploitability with network-based attack vectors.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A Local File Inclusion (LFI) vulnerability exists in jwsthemes IdealAuto WordPress theme versions prior to 3.8.6, where improper control of filenames in PHP include/require statements allows attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, and other system files. This vulnerability has been documented by Patchstack and tracked under EUVD-2026-15701; no CVSS score is currently assigned, though the tags indicate it enables information disclosure through PHP-based file inclusion.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A Local File Inclusion (LFI) vulnerability exists in the JWSThemes LoveDate WordPress theme through version 3.8.5, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. The vulnerability affects all versions of LoveDate prior to 3.8.6, and an attacker can exploit this to disclose sensitive information such as configuration files, database credentials, and other system files without requiring authentication or special privileges.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A PHP Local File Inclusion (LFI) vulnerability exists in jwsthemes Feedy theme versions prior to 2.1.5, stemming from improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential information. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement) and was reported by Patchstack, affecting WordPress installations using the vulnerable Feedy theme.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A Local File Inclusion (LFI) vulnerability exists in jwsthemes StreamVid WordPress theme versions prior to 6.8.6, where improper control of filename parameters in PHP include/require statements allows attackers to read arbitrary files from the server. The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been documented by Patchstack with ENISA tracking ID EUVD-2026-15696. While no CVSS score or EPSS data is currently published, the LFI classification indicates potential for sensitive information disclosure including configuration files, source code, and credentials.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the NaturaLife Extensions WordPress plugin (versions up to 2.1) due to improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially leading to sensitive information disclosure such as configuration files, database credentials, and application source code. No CVSS score, EPSS data, or active KEV status is available, but the vulnerability is confirmed by Patchstack and tracked under EUVD-2026-15617.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Wizor's investment theme for WordPress versions through 2.12 contains a Local File Inclusion (LFI) vulnerability that allows attackers to include and execute arbitrary local files on the server through improper handling of filename parameters in PHP include/require statements. This vulnerability enables information disclosure and potential remote code execution depending on server configuration and available files. While no CVSS score or EPSS data has been assigned, the vulnerability is tracked in the ENISA EUVD database (EUVD-2026-15532) and was reported by Patchstack, indicating active security research and likely proof-of-concept availability.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in AncoraThemes VegaDays WordPress theme through version 1.2.0, allowing improper control of filenames in PHP include/require statements. Attackers can leverage this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, database credentials, and other confidential data. While no CVSS score or EPSS data is currently available and KEV status is unknown, the vulnerability is classified as an information disclosure issue with a straightforward exploitation path typical of LFI vulnerabilities in WordPress themes.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

This is a Local File Inclusion (LFI) vulnerability in AncoraThemes Unica WordPress theme versions up to and including 1.4.1, where improper control of filenames in PHP include/require statements allows attackers to read arbitrary local files from the affected server. An unauthenticated remote attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other sensitive data stored on the server. The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been documented by Patchstack with ENISA EUVD tracking ID EUVD-2026-15528.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in AncoraThemes Triompher WordPress theme versions up to and including 1.1.0, caused by improper control of filename parameters in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the server, leading to information disclosure of sensitive data such as configuration files, database credentials, and other system files. No CVSS score, EPSS data, or known exploitation in the wild (KEV status) has been published, but the vulnerability is confirmed and documented by Patchstack with an available reference.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A security vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes NeoBeat WordPress theme through version 1.2, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. The vulnerability enables information disclosure attacks where an attacker can access sensitive files such as configuration files, database credentials, and source code without requiring authentication or special privileges. This is a CWE-98 vulnerability that transforms what was initially reported as PHP Remote File Inclusion (RFI) into a confirmed Local File Inclusion attack vector.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Gioia WordPress theme through version 1.4, allowing improper control of filenames in PHP include/require statements. Attackers can leverage this vulnerability to read sensitive local files from the affected web server, potentially disclosing configuration files, database credentials, or other confidential information. The vulnerability affects all installations of Gioia version 1.4 and earlier, with no CVSS or EPSS scoring data currently available, though the CWE-98 classification and LFI nature suggest moderate to high practical risk.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the AncoraThemes Dentalux WordPress theme through version 3.3, allowing attackers to include and execute arbitrary local files on the server. This vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling attackers to read sensitive files or execute malicious code without requiring authentication. While no CVSS score or EPSS probability is currently available, the LFI classification and information disclosure tags indicate this poses a significant risk for unauthorized file access and potential remote code execution.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Amoli WordPress theme version 1.0 and earlier, stemming from improper control of filenames in PHP include/require statements. An attacker can exploit this weakness to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, database credentials, or other confidential information. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been documented by Patchstack with ENISA EUVD identifier EUVD-2026-15514.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A security vulnerability in ThemeREX ProLingua prolingua allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the ThemeREX Nelson WordPress theme through version 1.2.0, allowing attackers to read arbitrary files from the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling information disclosure attacks without authentication. While no CVSS score or EPSS data is currently available, the LFI classification and public disclosure via Patchstack indicate this is a genuine security concern affecting WordPress installations using vulnerable Nelson theme versions.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in AncoraThemes Mr. Cobbler WordPress theme through version 1.1.9, stemming from improper control of filenames in PHP include/require statements (CWE-98). An attacker can exploit this vulnerability to disclose sensitive local files from the affected server by manipulating include parameters. While no CVSS score or EPSS data is currently available and KEV status is unknown, the vulnerability is classified as high-severity due to its information disclosure impact and the ease with which LFI vulnerabilities are typically exploited.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

This vulnerability is a Local File Inclusion (LFI) flaw in the Elated-Themes Lella WordPress theme that allows improper control of filename parameters in PHP include/require statements, enabling attackers to read arbitrary files from the affected server. The vulnerability affects Lella theme versions through 1.2, and while CVSS and EPSS scores are not available, the nature of LFI vulnerabilities typically permits information disclosure of sensitive files such as configuration files, database credentials, and source code. No KEV status or public proof-of-concept has been confirmed in this intelligence dataset, but the vulnerability was reported by Patchstack, a reputable WordPress security researcher.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Laurent WordPress theme (versions up to 3.1) due to improper control of filenames in PHP include/require statements, allowing attackers to read arbitrary files from the affected server. This vulnerability, reported by Patchstack and tracked as EUVD-2026-15503, enables information disclosure attacks without requiring authentication or special privileges. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP) and affects all installations of Laurent theme version 3.1 and earlier.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the AncoraThemes Hypnotherapy WordPress theme through version 1.2.10, allowing attackers to read arbitrary files from the affected server by manipulating filename parameters in PHP include/require statements. This vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement) and enables information disclosure attacks. The vulnerability has been documented by Patchstack and assigned EUVD ID EUVD-2026-15502, though no CVSS score or CVSS vector has been formally assigned, and active exploitation status remains unconfirmed in public intelligence.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Greenville WordPress theme versions up to and including 1.3.2 contain a Local File Inclusion (LFI) vulnerability resulting from improper control of filenames in PHP include/require statements (CWE-98). An attacker can exploit this vulnerability to read arbitrary files from the affected server, leading to information disclosure of sensitive configuration files, source code, and other locally stored data. No CVSS score, EPSS probability, or KEV status have been assigned at this time, though the vulnerability has been formally documented by Patchstack and assigned an ENISA EUVD ID.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the ThemeREX Good Homes WordPress theme through version 1.3.13, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling unauthenticated attackers to disclose sensitive information or achieve remote code execution by accessing system files. No CVSS score, EPSS data, or active KEV designation was reported, but the LFI classification and information disclosure impact indicate this requires prompt patching.

PHP LFI Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Gaspard WordPress theme through version 1.3, stemming from improper control of filenames in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive information such as configuration files, database credentials, or other sensitive data. The vulnerability affects all versions up to and including 1.3, and while no CVSS score or EPSS data is currently published, the LFI classification and information disclosure impact indicate this requires prompt remediation.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uptime Kuma versions 1.23.0 through 2.2.0 contain an incomplete Server-Side Template Injection (SSTI) vulnerability in the LiquidJS templating engine that allows authenticated attackers to read arbitrary files from the server. A prior fix (GHSA-vffh-c9pq-4crh) attempted to restrict file path access through three mitigation options (root, relativeReference, dynamicPartials), but this fix only blocks quoted paths; attackers can bypass the mitigation by using unquoted absolute paths like /etc/passwd that successfully resolve through the require.resolve() fallback mechanism in liquid.node.js. The vulnerability requires low privileges (authenticated access) but can result in high confidentiality impact, making it a notable information disclosure risk for self-hosted monitoring deployments.

Node.js LFI Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A PHP Local File Inclusion vulnerability exists in the ThemeREX Melania WordPress theme, allowing remote attackers to include and execute arbitrary local files on the server. All versions up to and including 2.5.0 are affected. The CVSS score of 8.1 indicates high severity with network-based attack vector, though attack complexity is rated as high; there is no evidence of active exploitation (not in KEV) or public proof-of-concept at this time.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

ThimPress BuilderPress, a WordPress plugin, contains a Local File Inclusion vulnerability through improper filename control in PHP include/require statements that allows unauthenticated remote attackers to read arbitrary files from the server. All versions through 2.0.1 are affected. With a CVSS score of 9.8 (Critical) and no authentication required, this represents a severe vulnerability allowing unauthorized information disclosure, though EPSS and KEV status data are not provided in the intelligence sources.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A PHP remote/local file inclusion vulnerability exists in the Ovatheme Tripgo WordPress theme due to improper control of filename parameters in include/require statements. Versions prior to 1.5.6 are affected, allowing unauthenticated remote attackers to potentially include arbitrary files and execute malicious code. This vulnerability has a CVSS score of 8.1 (High) with network attack vector but high attack complexity, and has been reported by Patchstack as exploitable for local file inclusion and information disclosure.

PHP Information Disclosure LFI
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

The NextGEN Gallery plugin for WordPress contains a Local File Inclusion vulnerability in the 'template' parameter of gallery shortcodes, affecting all versions up to and including 4.0.3. Authenticated attackers with Author-level privileges or higher can include and execute arbitrary PHP files on the server, potentially leading to remote code execution, data theft, or complete site compromise. This is a confirmed vulnerability reported by Wordfence with a high CVSS score of 8.8, though no active exploitation (KEV) status has been reported at this time.

WordPress PHP LFI +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

LDAP Account Manager (LAM), a web-based interface for managing LDAP directory entries, contains a local file inclusion vulnerability in its PDF export functionality that allows authenticated users to include and execute arbitrary PHP files. When chained with GHSA-88hf-2cjm-m9g8, this vulnerability enables complete remote code execution on the affected server. The vulnerability affects all versions prior to 9.5 and requires low-privilege authentication (CVSS 8.8, PR:L), tracking across 7 Ubuntu and 4 Debian releases indicates significant deployment in enterprise LDAP environments.

PHP LFI RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A PHP remote file inclusion vulnerability exists in themelexus Medilazar Core WordPress plugin that allows attackers to include arbitrary PHP files from local or remote sources, potentially leading to remote code execution. The vulnerability affects all versions of Medilazar Core prior to 1.4.7 and requires low privileges but high attack complexity to exploit. While not currently listed in CISA KEV or showing high EPSS scores, the potential for code execution makes this a serious concern for WordPress sites using this medical/healthcare theme framework.

Information Disclosure PHP LFI
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Sprout Invoices Client Invoicing versions 20.8.9 and earlier contain a local file inclusion vulnerability in PHP that allows authenticated attackers with high privileges to read arbitrary files on the affected server. An attacker exploiting this vulnerability could access sensitive configuration files, source code, or other confidential data without requiring user interaction. No patch is currently available for this vulnerability.

Information Disclosure LFI PHP
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

A PHP remote file inclusion vulnerability exists in the ThemetechMount Boldman theme that allows attackers to include arbitrary local files, potentially leading to remote code execution. The vulnerability affects all Boldman theme versions up to and including version 7.7, enabling authenticated attackers with low privileges to compromise the system through malicious file inclusion. While not currently listed in CISA's KEV catalog, the vulnerability has a moderate CVSS score of 7.5 and requires some attack complexity to exploit successfully.

LFI PHP Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Greenly Theme Addons for PHP versions prior to 8.2 contain a local file inclusion vulnerability in filename handling that allows authenticated attackers to read arbitrary files on the affected server. An attacker with valid credentials can exploit improper input validation to include and execute local files, potentially leading to information disclosure or code execution. No patch is currently available for this vulnerability.

Information Disclosure LFI PHP
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in Greenly through version 8.1 allows authenticated attackers to read arbitrary files on the server due to improper input validation in file inclusion functions. The vulnerability requires valid credentials but no user interaction, enabling attackers with PHP access to potentially escalate privileges or extract sensitive data. No patch is currently available for this high-severity vulnerability affecting the PHP-based Greenly application.

Information Disclosure LFI PHP
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

WpBookingly plugin versions 1.2.9 and earlier contain a local file inclusion vulnerability in their service-booking-manager component that allows authenticated attackers to read arbitrary files from the affected server. An attacker with valid credentials can exploit improper filename validation in PHP include/require statements to access sensitive information on the system. No patch is currently available for this vulnerability.

Information Disclosure LFI PHP
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Medilink-Core versions before 2.0.7 contain a local file inclusion vulnerability in PHP that allows authenticated attackers to read arbitrary files on the affected system through improper handling of file inclusion statements. An attacker with valid credentials can exploit this weakness to access sensitive information without requiring user interaction. No patch is currently available for this vulnerability.

Information Disclosure LFI PHP
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Turbo Manager versions below 4.0.8 contain a local file inclusion vulnerability in PHP file handling that allows authenticated attackers to include and execute arbitrary files on the system. An attacker with valid credentials can leverage improper filename validation to access sensitive files or achieve code execution. No patch is currently available, and exploitation requires network access with valid authentication credentials.

Information Disclosure LFI PHP
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

LFI to RCE in IFTOP by WellChoose.

LFI PHP RCE +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Openclaw versions up to 2026.2.14 contains a vulnerability that allows attackers to read arbitrary files from the local filesystem (CVSS 7.5).

LFI Openclaw
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in axiomthemes Little Birdies plugin version 1.3.16 and earlier enables unauthenticated remote attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. An attacker can exploit this vulnerability to access sensitive configuration files, source code, or other data without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Verse PHP theme versions 1.7.0 and earlier allows unauthenticated attackers to read arbitrary files on the server through improper input validation on file inclusion functions. The vulnerability requires specific conditions for exploitation but carries high impact potential including confidentiality and integrity compromise. No patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Midi through version 1.14 enables unauthenticated remote attackers to read arbitrary files on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing attackers to traverse directories and access sensitive data. Currently no patch is available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Notarius through version 1.9 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this high-severity flaw.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Veil through version 1.9 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the affected server. The vulnerability stems from improper input validation on file include/require statements, enabling attackers to manipulate filename parameters to access sensitive system files. While no patch is currently available, the exploit requires specific conditions (high complexity) to successfully leverage.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local and remote file inclusion in AncoraThemes Anderson through version 1.4.2 enables attackers to read arbitrary files or execute malicious code on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing unauthenticated attackers to manipulate input parameters over the network. No patch is currently available for this high-severity issue affecting PHP-based installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Dr.Patterson plugin versions up to 1.3.2 enables unauthenticated attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. The vulnerability allows information disclosure and potential code execution depending on server configuration and accessible files. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Axiomthemes Nirvana version 2.6 and earlier contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper filename validation and could enable information disclosure or facilitate further compromise, though no patch is currently available. With a CVSS score of 8.1 and low exploitation likelihood (0.2% EPSS), organizations running affected versions should prioritize mitigation strategies until an official patch is released.

PHP LFI Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

The Welldone WordPress theme through version 2.4 contains a local file inclusion vulnerability in its PHP include/require handling that enables unauthenticated remote attackers to read arbitrary files from the affected server. With a CVSS score of 8.1, this vulnerability allows full compromise of confidentiality and integrity without requiring user interaction. No patch is currently available, making immediate mitigation through other means necessary.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Remote attackers can include arbitrary local files in the smartSEO WordPress theme (≤2.9) via a PHP Local File Inclusion vulnerability, potentially exposing sensitive configuration data or enabling server-side code execution. Despite high CVSS (8.1), EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation or CISA KEV listing. The vulnerability requires specific preconditions that increase attack complexity (AC:H), though exploitation succeeds without authentication or user interaction once conditions are met.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Muzicon WordPress theme versions ≤1.9.0 allows remote unauthenticated attackers to read arbitrary files from the web server filesystem and potentially execute PHP code. Despite a CVSS score of 8.1, real-world risk is moderated by high attack complexity (AC:H) and no confirmed active exploitation - EPSS probability is only 0.15% (36th percentile). The Patchstack report confirms the vulnerability but no public exploit code has been identified at time of analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion (LFI) in ThemeREX Save Life WordPress theme versions 1.2.13 and earlier enables remote unauthenticated attackers to read arbitrary files from the server filesystem and potentially achieve code execution by including uploaded or log files. Despite the network attack vector (AV:N), high attack complexity (AC:H) suggests successful exploitation requires specific server configurations or carefully crafted payloads. EPSS score of 0.15% (36th percentile) indicates low current exploitation probability, and no active exploitation is confirmed per CISA KEV or public exploit databases at time of analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Artrium WordPress theme versions ≤1.0.14 allows remote unauthenticated attackers to read arbitrary server files and potentially execute PHP code through improper file inclusion controls. Despite a high CVSS 8.1 score, EPSS shows only 0.15% exploitation probability (36th percentile), suggesting limited real-world targeting. The vulnerability was disclosed by Patchstack's audit team with no confirmed active exploitation or public POC at time of analysis, though LFI vulnerabilities in WordPress themes are commonly targeted once proof-of-concept code becomes available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Remote file inclusion vulnerability in ThemeREX WealthCo WordPress theme versions up to 2.18 allows unauthenticated remote attackers to include and execute arbitrary PHP files via manipulated filename parameters. Despite CVSS 8.1 rating, EPSS exploitation probability is low (0.15%, 36th percentile) with no CISA KEV listing or public exploit identified at time of analysis. Vulnerability stems from improper validation of file paths in PHP include/require statements, though attack complexity is rated High, suggesting specific conditions or chained exploitation required.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Marcell WordPress theme versions ≤1.2.14 allows remote attackers to read arbitrary files from the server filesystem and potentially execute malicious code. The vulnerability stems from improper validation of file paths in PHP include/require statements. Exploitation probability is low (EPSS 0.15%) with no confirmed active exploitation or public proof-of-concept at time of analysis. Discovered and reported by Patchstack's security audit team.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX RexCoin WordPress theme versions up to 1.2.6 allows remote attackers to read arbitrary files and potentially achieve code execution without authentication. Despite the high CVSS score of 8.1, the low EPSS percentile (36%) and AC:H complexity suggest limited active exploitation. Patchstack audit team reported this vulnerability with proof-of-concept available, indicating realistic exploit feasibility against improperly configured installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Ozisti WordPress theme versions up to 1.1.10 enables remote unauthenticated attackers to read arbitrary files from the web server filesystem and potentially execute PHP code by including malicious local files. Despite the high CVSS score of 8.1, exploitation requires high complexity (AC:H) and EPSS indicates only 0.15% probability of exploitation in the wild (36th percentile), suggesting limited real-world targeting. No active exploitation confirmed by CISA KEV, though Patchstack has documented the vulnerability with security researchers.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in ThemeREX Sounder WordPress theme versions through 1.3.11 enables remote attackers to include and execute arbitrary local PHP files without authentication. Despite the CVE title referencing 'Remote File Inclusion', technical analysis and Patchstack classification confirm this is a Local File Inclusion (LFI) vulnerability. With EPSS at 0.15% (36th percentile), widespread exploitation is unlikely, but successful attacks achieve high impact across confidentiality, integrity, and availability. No active exploitation confirmed via CISA KEV at time of analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Coleo WordPress theme (versions ≤1.1.7) allows remote attackers to read arbitrary files and potentially execute PHP code via crafted file path manipulation. Despite high CVSS 8.1, exploitation requires high attack complexity (AC:H), and EPSS score of 0.15% (36th percentile) suggests limited real-world exploitation activity. No CISA KEV listing indicates this is not confirmed as actively exploited, though Patchstack database inclusion suggests security researcher identification and likely proof-of-concept existence.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion (LFI) vulnerability in ThemeREX Gamezone WordPress theme versions up to 1.1.11 allows remote unauthenticated attackers to read arbitrary files from the web server, potentially exposing configuration files, credentials, and sensitive application data. The CVSS score of 8.1 reflects high complexity exploitation requiring specific conditions, while the low EPSS score (0.15%, 36th percentile) indicates minimal observed exploitation attempts in the wild. No active exploitation confirmed by CISA KEV at time of analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in ThemeREX Daiquiri WordPress theme versions ≤1.2.4 allows remote attackers to read arbitrary files or execute PHP code by exploiting improper filename control in include/require statements. Despite high CVSS (8.1), real-world risk is moderate: EPSS exploitation probability is low (0.15%, 36th percentile), no confirmed active exploitation exists, and attack complexity is high (AC:H). Patchstack audit identified this vulnerability, suggesting professional security review but no public exploit code at time of analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion vulnerability in ThemeREX Aqualots WordPress theme versions up to 1.1.6 enables remote attackers to include arbitrary PHP files on the server without authentication. Despite the description's mention of 'remote file inclusion', the CVE is classified as CWE-98 (PHP Local File Inclusion) and tagged as LFI by Patchstack, indicating attackers can read sensitive files or execute local PHP code. EPSS exploitation probability is low (0.15%, 36th percentile) with no evidence of active exploitation or public POCs, though the high-complexity network attack vector suggests targeted exploitation scenarios.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Filmax WordPress theme versions ≤1.1.11 enables remote attackers to read arbitrary files from the web server and potentially execute malicious code. The vulnerability stems from improper filename validation in PHP include/require statements, categorized as CWE-98. Despite a CVSS score of 8.1, EPSS probability is low (0.15%, 36th percentile), suggesting targeted rather than widespread exploitation. Patchstack database identifies this as affecting information disclosure through LFI techniques, with no confirmed active exploitation or KEV listing at time of analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion vulnerability in ThemeREX Run Gran WordPress theme versions through 2.0 allows remote attackers to read arbitrary files from the web server filesystem via crafted PHP include statements. Despite the moderate EPSS score (0.15%, 36th percentile), the high-complexity attack vector suggests exploitation requires specific knowledge of file paths or application structure. No active exploitation confirmed (not in CISA KEV), and no public proof-of-concept code identified at time of analysis. Patchstack has documented this vulnerability, indicating awareness within the WordPress security community.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Mahogany WordPress theme versions through 2.9 enables remote unauthenticated attackers to read arbitrary files from the web server filesystem via manipulated PHP include/require statements. While classified as high-severity (CVSS 8.1), real-world exploitation risk appears moderate given the EPSS score of 0.15% (36th percentile) and high attack complexity rating. No active exploitation or public exploit code identified at time of analysis. Patchstack security audit identified and disclosed this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in ThemeREX Bazinga theme for WordPress (versions ≤1.1.9) allows remote unauthenticated attackers to include and execute arbitrary local files via improper filename control in require/include statements. Despite high CVSS 8.1 severity, EPSS exploitation probability is low (0.15%, 36th percentile), and no active exploitation or public POC has been identified at time of analysis. Patchstack database reports this as both a local file inclusion vector and potential information disclosure issue, suggesting exploitation could lead to code execution through PHP file inclusion or exposure of sensitive configuration data.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in the ThemeREX Windsor WordPress theme allows remote attackers to include and execute arbitrary PHP files on the server through improper filename control. Affects all versions through 2.5.0. Despite CVSS 8.1 (High), EPSS indicates low exploitation probability (0.15%, 36th percentile), suggesting limited attacker interest. No active exploitation confirmed via CISA KEV at time of analysis. Patchstack database lists this vulnerability with PHP and information disclosure tags, indicating potential for data exfiltration beyond code execution.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in Conquerors WordPress theme 1.2.13 and earlier enables remote attackers to read arbitrary files from the server filesystem, potentially exposing configuration files, credentials, and sensitive data. Despite a CVSS score of 8.1, EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation or public POC at time of analysis. However, the network-accessible attack vector with no authentication requirement makes this a priority for sites running the affected theme.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Vapester WordPress theme versions ≤1.1.10 allows remote unauthenticated attackers to read arbitrary files from the web server, potentially exposing configuration files, credentials, and sensitive application data. Despite high CVSS score of 8.1, EPSS probability of 0.15% (36th percentile) suggests limited observed exploitation attempts. No active exploitation confirmed by CISA KEV, though Patchstack database listing indicates vulnerability is known to security researchers.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Le Truffe WordPress theme versions up to 1.1.7 enables remote attackers to read arbitrary files from the web server without authentication. While CVSS scores 8.1 (High), EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation. The vulnerability stems from improper filename control in PHP include/require statements, allowing path traversal to access sensitive server files. No public exploit code identified at time of analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in ThemeREX Rhythmo WordPress theme through version 1.3.4 allows remote unauthenticated attackers to read arbitrary files on the server and potentially achieve remote code execution through log file poisoning or PHP wrapper exploitation. Despite network attack vector (AV:N) and high impact ratings (C:H/I:H/A:H), EPSS probability remains low at 0.15%, and no active exploitation has been confirmed in CISA KEV. Attack complexity is rated HIGH (AC:H), indicating specific conditions or timing required for successful exploitation.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion vulnerability in ThemeREX Bassein WordPress theme versions up to 1.0.15 allows remote unauthenticated attackers to include and execute arbitrary PHP files on the server via improper filename handling. Despite CVSS 8.1 High severity, EPSS exploitation probability is only 0.15% (36th percentile), suggesting limited attacker interest. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis. Patchstack advisory indicates this is a PHP file inclusion flaw affecting theme installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Legrand WordPress theme versions ≤2.17 allows remote attackers to read arbitrary files from the server filesystem through improper filename validation in PHP include/require statements. Despite high CVSS 8.1, EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation or public exploit code. Reported by Patchstack security research team, this represents a moderate real-world risk primarily for installations where attackers can control file path parameters.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Eject WordPress theme versions up to 2.17 enables remote attackers to read arbitrary files on the server or execute PHP code without authentication. Despite high CVSS 8.1 severity, EPSS exploitation probability remains low at 0.15% (36th percentile) with no confirmed active exploitation. Patchstack security audit identified the vulnerability as a PHP file inclusion flaw allowing information disclosure through improper filename control in include/require statements.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Edge Decor WordPress theme through version 2.2 allows remote attackers to read arbitrary files on the server and potentially execute code via improper control of PHP include/require statements. Despite a CVSS score of 8.1, real-world exploitation risk appears moderate with EPSS at 0.15% (36th percentile) and no evidence of active exploitation or public POC. Attack complexity is rated high (AC:H), suggesting exploitation requires specific conditions beyond default configuration.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Asia Garden WordPress theme (versions ≤1.3.1) allows remote attackers to include and execute arbitrary PHP files on the server. Despite a CVSS base score of 8.1 (High), the EPSS score of 0.15% (36th percentile) indicates low observed exploitation probability in the wild. The vulnerability requires high attack complexity (AC:H) but no authentication (PR:N), enabling unauthenticated remote exploitation under specific conditions. Patchstack database confirmed this LFI vulnerability affecting WordPress installations using this theme.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Happy Baby WordPress theme versions ≤1.2.12 allows remote unauthenticated attackers to read arbitrary files from the web server and potentially execute PHP code. Patchstack reported this vulnerability (CWE-98) affecting file inclusion controls, though EPSS probability remains low at 0.15% with no confirmed active exploitation. The CVSS vector indicates network-based attack with high complexity but no authentication requirement, enabling confidentiality, integrity, and availability compromise.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Tiger Claw WordPress theme allows remote attackers to read arbitrary files from the web server and potentially execute code. Affects versions up to and including 1.1.14. Despite a high CVSS score of 8.1, the EPSS probability is low at 0.15% (36th percentile), suggesting limited exploitation attempts observed to date. No active exploitation confirmed by CISA KEV, though the vulnerability was reported by Patchstack's security research team.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX S.King WordPress theme through version 1.5.3 allows remote unauthenticated attackers to read arbitrary files on the server and potentially execute PHP code via path manipulation in include/require statements. Despite the 8.1 CVSS score reflecting high severity, EPSS exploitation probability is low (0.15%, 36th percentile) and no active exploitation or public POC has been reported. Patchstack audit team disclosed this vulnerability affecting WordPress deployments using this theme.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion (LFI) vulnerability in ThemeREX Dermatology Clinic WordPress theme versions ≤1.4.3 allows remote attackers to include and execute arbitrary PHP files on the server. Despite CVSS 8.1, EPSS score of 0.15% (36th percentile) indicates low probability of mass exploitation. Patchstack database confirms the vulnerability but no CISA KEV listing or public exploit code identified at time of analysis, suggesting limited real-world targeting of this WordPress theme.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Dixon WordPress theme through version 1.4.2.1 allows remote attackers to read arbitrary files from the server filesystem without authentication. Despite high attack complexity (AC:H), this vulnerability enables unauthorized access to sensitive configuration files, credentials, and potentially source code. EPSS score of 0.15% (36th percentile) indicates low probability of mass exploitation, consistent with targeting of a specific premium WordPress theme. No active exploitation confirmed (not in CISA KEV), but Patchstack public disclosure increases attack surface visibility.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Mandala WordPress theme versions ≤2.8 allows remote unauthenticated attackers to read arbitrary server files and potentially execute PHP code through improper filename control in include/require statements. Despite a CVSS score of 8.1, the EPSS probability remains low (0.15%, 36th percentile), suggesting limited attacker interest or exploitation barriers. No active exploitation or public proof-of-concept has been identified, and the vulnerability requires high attack complexity (AC:H), indicating specific conditions must be met for successful exploitation.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in MCKinney's Politics WordPress theme versions ≤1.2.8 allows remote attackers to read arbitrary files on the server via path traversal in include/require statements. Despite the high CVSS score (8.1), EPSS probability is low (0.15%, 36th percentile) and no active exploitation is documented. Patchstack has cataloged this as a confirmed vulnerability affecting the ThemeREX-developed WordPress theme, enabling information disclosure through improper input validation in PHP file inclusion functions.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in the M.Williamson WordPress theme through version 1.2.11 enables remote attackers to read arbitrary files from the server filesystem without authentication. Despite high-complexity exploitation barriers (CVSS AC:H), this vulnerability carries an 8.1 CVSS score due to complete compromise of confidentiality and integrity if successfully exploited. EPSS score of 0.15% (36th percentile) suggests low probability of mass exploitation. No active exploitation confirmed via CISA KEV, though Patchstack database inclusion indicates researcher discovery and analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Legal Stone WordPress theme 1.2.11 and earlier allows remote attackers to read arbitrary files and potentially execute malicious code through improper filename control in PHP include/require statements. Exploitation probability remains low (EPSS 0.15%, 36th percentile) with no confirmed active exploitation, though the network-accessible attack vector and lack of authentication requirements present material risk for sites using this theme. Patchstack database reports this vulnerability affecting all versions through 1.2.11.

PHP LFI Information Disclosure
NVD
Prev Page 3 of 14 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
1172

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy