Local File Inclusion
Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's `include()`, `require()`, or `fopen()`.
How It Works
Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's include(), require(), or fopen(). The attacker manipulates file path parameters—often using directory traversal sequences like ../ or absolute paths—to access files outside the intended directory. For example, a URL parameter ?page=dashboard might be vulnerable if changed to ?page=../../../../etc/passwd.
Modern LFI exploitation extends beyond simple file reading. Attackers leverage PHP wrappers like php://filter to apply encoding filters that bypass content restrictions. The php://filter/convert.base64-encode wrapper allows reading PHP source code without execution, exposing credentials and logic flaws. More sophisticated attacks chain multiple filters together to construct executable PHP code from seemingly harmless character transformations.
Log poisoning escalates LFI to remote code execution by injecting malicious PHP code into log files (access logs, error logs, email logs), then using the LFI vulnerability to include and execute those logs. Attackers can also abuse data wrappers (data://text/plain,<?php system($_GET['cmd']);?>) or expect:// protocol handlers depending on server configuration.
Impact
- Source code disclosure — exposing application logic, API keys, database credentials, and proprietary algorithms
- Configuration file access — reading database connection strings, encryption keys, cloud service credentials from config files
- Sensitive data extraction — accessing
/etc/passwd, SSH keys, user data files, session tokens - Remote code execution — through log poisoning, wrapper abuse, or including uploaded files containing malicious code
- Lateral movement preparation — gathering internal network details, service configurations, and authentication mechanisms
Real-World Examples
The osTicket CVE-2022-22200 vulnerability demonstrated advanced filter chain exploitation where attackers injected a PHP filter chain into a ticket's CSS style attribute. The malicious payload bypassed the htmLawed HTML sanitizer using strategic whitespace, then exploited mPDF's processing of php:// wrappers after URL-decoding. This allowed arbitrary file reading that escalated to RCE through chained filter operations.
phpMyAdmin has experienced multiple LFI vulnerabilities where attackers manipulated theme selection or language file parameters to include arbitrary files, often combining this with session file poisoning to achieve code execution. Content management systems like WordPress plugins frequently expose LFI through template loading mechanisms where developers fail to validate file path inputs properly.
Mitigation
- Eliminate dynamic file inclusion — use routing tables or switch statements mapping IDs to hardcoded file paths instead of concatenating user input
- Strict allowlisting — maintain explicit arrays of permitted files; validate user input against this list, never use input directly in paths
- Disable dangerous PHP wrappers — set
allow_url_include=0andallow_url_fopen=0in php.ini; disableexpect://,phar://, anddata://wrappers - Implement path canonicalization — resolve paths with
realpath(), verify they remain within allowed directories usingstrpos()checks - Apply least privilege — run web applications with minimal file system permissions, preventing access to sensitive system files
- Input validation — reject any input containing
../, absolute paths, null bytes, or protocol specifiers
Recent CVEs (759)
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes WerkStatt Plugin werkstatt-plugin allows PHP Local File Inclusion.This issue affects WerkStatt Plugin: from n/a through <= 1.6.6. [CVSS 7.5 HIGH]
A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. [CVSS 7.5 HIGH]
A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) that allows unauthenticated attackers to execute arbitrary remote PHP code on the server.
A WordPress plugin has a PHP Remote File Inclusion vulnerability allowing attackers to include malicious remote PHP files for unauthenticated code execution.
A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) enabling unauthenticated remote code execution through crafted include paths.
A WordPress plugin has a PHP Remote File Inclusion vulnerability allowing unauthenticated attackers to include and execute arbitrary remote PHP files on the server.
Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. [CVSS 7.2 HIGH]
GeoVision GeoWebServer 5.3.3 contains multiple vulnerabilities including local file inclusion, cross-site scripting, and remote code execution through improper input sanitization. [CVSS 6.2 MEDIUM]
News and Blog Designer Bundle for WordPress (through 1.1) has LFI via the template parameter, enabling unauthenticated arbitrary PHP file inclusion and execution.
mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through crafted annotation content with file path specifications. [CVSS 5.5 MEDIUM]
YouPHPTube <= 7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the 'lang' parameter in GET requests. [CVSS 5.5 MEDIUM]
PHP Local File Inclusion in G5Theme Handmade Framework versions up to 3.9 enables authenticated attackers to read arbitrary files on the server through improper validation of include/require statements. An attacker with valid credentials can exploit this vulnerability to access sensitive configuration files, source code, or other protected data without requiring user interaction. No patch is currently available for this vulnerability.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Hendon hendon allows PHP Local File Inclusion.This issue affects Hendon: from n/a through < 1.7. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Optimize optimizewp allows PHP Local File Inclusion.This issue affects Optimize: from n/a through < 2.4. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Corpkit corpkit allows PHP Local File Inclusion.This issue affects Corpkit: from n/a through <= 2.0. [CVSS 8.1 HIGH]
Neo Ocular WordPress theme (before 1.2) allows PHP Local File Inclusion through improper filename control in include/require statements.
Typify WordPress theme (through 3.0.2) allows PHP Local File Inclusion via improper filename control.
Mitech WordPress theme (through 2.3.4) allows PHP Local File Inclusion through improper filename control in include/require statements.
Moody WordPress theme (through 2.7.3) allows PHP Local File Inclusion through improper filename control.
Atlas WordPress theme (through 2.1.0) allows PHP Local File Inclusion through improper filename control in PHP include statements.
Navian WordPress theme (through 1.5.4) allows PHP Local File Inclusion through improper filename control.
Brook WordPress theme (through 2.8.9) allows PHP Local File Inclusion via improper filename control in PHP include statements.
AeroLand WordPress theme (through 1.6.6) allows PHP Local File Inclusion through improper filename control. Unauthenticated RCE possible via include chain.
Oshine WordPress theme (through 7.2.7) allows PHP Local File Inclusion via improper filename control in include/require statements.
OchaHouse WordPress theme (through 2.2.8) allows PHP Local File Inclusion via improper filename control. Same vulnerability class as CVE-2025-12549.
Rozy Flower Shop WordPress theme (through 1.2.25) allows PHP Local File Inclusion through improper filename control in include/require statements. Unauthenticated RCE possible.
n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical CVSS 10.0 vulnerability enabling remote attackers to read sensitive files from the server, with potential for further compromise. PoC available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Group Hope charity-is-hope allows PHP Local File Inclusion.This issue affects Hope: from n/a through 3.0.0. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JanStudio Gecko allows PHP Local File Inclusion.This issue affects Gecko: from n/a through 1.9.8. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mojoomla WPCHURCH allows PHP Local File Inclusion.This issue affects WPCHURCH: from n/a through 2.7.0. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0. [CVSS 7.5 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VanKarWai Calafate calafate allows PHP Local File Inclusion.This issue affects Calafate: from n/a through <= 1.7.7. [CVSS 7.5 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Jwsthemes Issabella allows PHP Local File Inclusion.This issue affects Issabella: from n/a through 1.1.2. [CVSS 8.1 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Frappé allows PHP Local File Inclusion.This issue affects Frappé: from n/a through 1.8. [CVSS 8.1 HIGH]
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. [CVSS 7.5 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes FreeAgent allows PHP Local File Inclusion.This issue affects FreeAgent: from n/a through 2.1.2. [CVSS 8.1 HIGH]
Local file inclusion vulnerability in MadrasThemes MAS Videos WordPress plugin versions up to 1.3.4 allows unauthenticated attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. The vulnerability affects the masvideos plugin and has been tracked by Patchstack with an EPSS score of 0.17% (38th percentile), indicating low exploitation probability despite the presence of information disclosure risk.
Local file inclusion in Edge-Themes Cinerama WordPress theme versions ≤2.9 enables unauthenticated remote attackers to read arbitrary server files through PHP file inclusion weaknesses. Despite the CVSS critical rating of 9.8, EPSS probability is low (0.17%, 38th percentile) with no public exploit identified at time of analysis. The vulnerability allows server-side file reading which could expose configuration files, credentials, and sensitive data without authentication requirements.
Local file inclusion in CedCommerce Integration for Good Market WordPress plugin versions 1.0.6 and earlier allows unauthenticated attackers to read arbitrary files from the server via improper filename validation in PHP include/require statements. The vulnerability affects a popular e-commerce integration plugin used by WooCommerce merchants, exposing sensitive configuration files, database credentials, and other sensitive data accessible to the web server process. EPSS probability of 0.14% suggests low real-world exploitation likelihood despite the information disclosure impact.
Local file inclusion (LFI) vulnerability in Thembay Nika WordPress theme version 1.2.14 and earlier allows unauthenticated attackers to read arbitrary files from the server via improper control of filename parameters in PHP include/require statements. The vulnerability has a low EPSS score (0.17%, 38th percentile) and no confirmed active exploitation, but successful exploitation could disclose sensitive configuration files, source code, or other protected data.
Local file inclusion (LFI) vulnerability in thembay Diza WordPress theme through version 1.3.15 allows unauthenticated attackers to read arbitrary files from the server filesystem via improper control of filename parameters in PHP include/require statements. The vulnerability affects all versions of Diza up to and including 1.3.15, with no public exploit code identified at time of analysis, though the low EPSS score (0.17%) suggests limited real-world exploitation probability despite the attack vector being remote and unauthenticated.
Local file inclusion (LFI) in Task Manager WordPress plugin versions ≤3.0.2 allows unauthenticated remote attackers to read arbitrary files from the server through improper filename control in PHP include/require statements. With a 7.5 CVSS score but only 0.06% EPSS (18th percentile), this represents high theoretical impact with low observed exploitation probability. No confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis. Patchstack security research disclosed this vulnerability affecting the Agence web Eoxia Task Manager plugin.
Local file inclusion in Ray Enterprise Translation WordPress plugin (versions ≤1.7.1) allows unauthenticated remote attackers to read arbitrary files from the server. CVSS 7.5 HIGH due to network-accessible exploitation with no authentication required. EPSS score of 0.06% (20th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV); no public exploit identified at time of analysis. Despite high CVSS, real-world risk appears moderate given low EPSS and information disclosure-only impact.
Local file inclusion in Riode WordPress theme versions up to 1.6.23 allows remote attackers to read arbitrary files on the server through improper PHP file inclusion controls. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), enabling unauthorized access to sensitive configuration files, credentials, or source code. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability; no public exploit identified at time of analysis and not listed in CISA KEV.
Local File Inclusion (LFI) in BZOTheme Monki WordPress theme versions through 2.0.5 allows unauthenticated remote attackers to include and execute arbitrary PHP files on the server, potentially leading to remote code execution, information disclosure, or complete system compromise. Despite the high 8.1 CVSS score, real-world exploitation probability remains low (EPSS 0.17%, 38th percentile) with no confirmed active exploitation or public exploit code identified at time of analysis. The vulnerability stems from improper filename validation in PHP include/require statements, classified as CWE-98.
Local File Inclusion in Dream-Theme's The7 WordPress theme (versions prior to 12.8.1.1) allows authenticated attackers with low privileges to read arbitrary server files through improper filename validation in PHP include statements. With a 0.17% EPSS score and no confirmed active exploitation, this represents a moderate risk primarily in shared hosting environments where authenticated users exist. The 7.5 CVSS score reflects high confidentiality and integrity impact, though exploitation requires high attack complexity and authenticated access.
The My auctions allegro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.32 via the 'controller' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in MatrixAddons Easy Invoice easy-invoice allows PHP Local File Inclusion.1.4. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Category and Product Woocommerce Tabs plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Alloggio - Hotel Booking alloggio allows PHP Local File. Rated high severity (CVSS 8.1), this vulnerability is low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ido Kobelkowsky Simple Payment simple-payment.4.6. Rated high severity (CVSS 7.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Savory savory.5. Rated high severity (CVSS 8.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Revolution revolution.5.8. Rated high severity (CVSS 7.4), this vulnerability is low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Academist academist.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in favethemes Houzez houzez.2.0. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements.10.5.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme ITok itok.1.42. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Famita famita allows PHP Local File Inclusion.54. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPClever WPC Product Options for WooCommerce wpc-product-options allows PHP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce premmerce allows PHP Local File Inclusion.3.19. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Alexander AnyComment anycomment allows PHP Local File Inclusion.3.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Josh Kohlbach WooCommerce Store Toolkit woocommerce-store-toolkit allows PHP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Josh Kohlbach Store Exporter woocommerce-exporter allows PHP Local File. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Kyle Phillips Favorites favorites allows PHP Local File Inclusion.3.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in aguilatechnologies WP Customer Area customer-area allows PHP Local File. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress LearnPress Export Import learnpress-import-export allows PHP Local. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx InHype - Blog & Magazine WordPress Theme inhype allows PHP Local File. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx Saxon - Viral Content Blog & Magazine Marketing WordPress Theme saxon. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in owenr88 Simple Contact Forms simple-contact-forms allows PHP Local File. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Clearblue Clearblue® Ovulation Calculator clearblue-ovulation-calculator. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Product Search for WooCommerce premmerce-search allows PHP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce User Roles premmerce-user-roles allows PHP Local File. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Wholesale Pricing for WooCommerce. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Wishlist for WooCommerce premmerce-woocommerce-wishlist. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hinnerk Altenburg Immocaster WordPress Plugin immocaster allows PHP Local File. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PoloPag PoloPag – Pix Automático para Woocommerce wc-polo-payments. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Processby Lazy Load Optimizer lazy-load-optimizer allows PHP Local File. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Processby Responsive Sidebar responsive-sidebar allows PHP Local File. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Leblix leblix allows PHP Local File Inclusion.4. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in designervily Greenify greenify allows PHP Local File Inclusion.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Zegen zegen allows PHP Local File Inclusion.1.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Daman Jeet Real Time Validation for Gravity Forms. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bslthemes Kinsley kinsley allows PHP Local File Inclusion.4.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pantherius Modal Survey modal-survey.0.2.0.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Dør dor allows PHP Local File Inclusion.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Quick Facts
- Typical Severity
- HIGH
- Category
- web
- Total CVEs
- 759