Skip to main content

Local File Inclusion

web HIGH

Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's `include()`, `require()`, or `fopen()`.

How It Works

Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's include(), require(), or fopen(). The attacker manipulates file path parameters—often using directory traversal sequences like ../ or absolute paths—to access files outside the intended directory. For example, a URL parameter ?page=dashboard might be vulnerable if changed to ?page=../../../../etc/passwd.

Modern LFI exploitation extends beyond simple file reading. Attackers leverage PHP wrappers like php://filter to apply encoding filters that bypass content restrictions. The php://filter/convert.base64-encode wrapper allows reading PHP source code without execution, exposing credentials and logic flaws. More sophisticated attacks chain multiple filters together to construct executable PHP code from seemingly harmless character transformations.

Log poisoning escalates LFI to remote code execution by injecting malicious PHP code into log files (access logs, error logs, email logs), then using the LFI vulnerability to include and execute those logs. Attackers can also abuse data wrappers (data://text/plain,<?php system($_GET['cmd']);?>) or expect:// protocol handlers depending on server configuration.

Impact

  • Source code disclosure — exposing application logic, API keys, database credentials, and proprietary algorithms
  • Configuration file access — reading database connection strings, encryption keys, cloud service credentials from config files
  • Sensitive data extraction — accessing /etc/passwd, SSH keys, user data files, session tokens
  • Remote code execution — through log poisoning, wrapper abuse, or including uploaded files containing malicious code
  • Lateral movement preparation — gathering internal network details, service configurations, and authentication mechanisms

Real-World Examples

The osTicket CVE-2022-22200 vulnerability demonstrated advanced filter chain exploitation where attackers injected a PHP filter chain into a ticket's CSS style attribute. The malicious payload bypassed the htmLawed HTML sanitizer using strategic whitespace, then exploited mPDF's processing of php:// wrappers after URL-decoding. This allowed arbitrary file reading that escalated to RCE through chained filter operations.

phpMyAdmin has experienced multiple LFI vulnerabilities where attackers manipulated theme selection or language file parameters to include arbitrary files, often combining this with session file poisoning to achieve code execution. Content management systems like WordPress plugins frequently expose LFI through template loading mechanisms where developers fail to validate file path inputs properly.

Mitigation

  • Eliminate dynamic file inclusion — use routing tables or switch statements mapping IDs to hardcoded file paths instead of concatenating user input
  • Strict allowlisting — maintain explicit arrays of permitted files; validate user input against this list, never use input directly in paths
  • Disable dangerous PHP wrappers — set allow_url_include=0 and allow_url_fopen=0 in php.ini; disable expect://, phar://, and data:// wrappers
  • Implement path canonicalization — resolve paths with realpath(), verify they remain within allowed directories using strpos() checks
  • Apply least privilege — run web applications with minimal file system permissions, preventing access to sensitive system files
  • Input validation — reject any input containing ../, absolute paths, null bytes, or protocol specifiers

Recent CVEs (1172)

EPSS 0% CVSS 8.8
HIGH This Week

The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be...

WordPress PHP LFI +2
NVD
EPSS 0% CVSS 7.5
HIGH This Week

ThemeMove Unicamp through version 2.7.1 contains a local file inclusion vulnerability in PHP that allows authenticated attackers to read arbitrary files on the server through improper filename validation in include/require statements. An attacker with valid credentials can leverage this flaw to access sensitive files and potentially execute arbitrary code. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Talemy Spirit Framework allows PHP Local File Inclusion.This issue affects Spirit Framework: from n/a through 1.2.13. [CVSS 7.5 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Administrative Shortcodes plugin for WordPress through version 0.3.4 allows authenticated contributors and above to execute arbitrary PHP code via insufficient path validation in the get_template shortcode's slug parameter. An attacker with contributor-level permissions can exploit this local file inclusion vulnerability to include malicious files, bypass access controls, and achieve remote code execution on the affected server. A patch is not currently available for this vulnerability.

WordPress PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

DevsBlink EduBlink Core through version 2.0.7 contains a local file inclusion vulnerability in its PHP file handling that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters to bypass proper input validation and access sensitive system files. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Laurent theme for PHP versions 3.1 and earlier contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files on the affected system. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive data outside the intended application directory. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Laurent Core plugin for PHP through version 2.4.1 contains a local file inclusion vulnerability in its filename handling for include/require statements, allowing authenticated attackers to read arbitrary files from the affected system. With a CVSS score of 7.5, this vulnerability enables confidentiality and integrity compromise, though exploitation requires valid credentials and no patch is currently available.

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Omnipress through version 1.6.6 contains a local file inclusion vulnerability in its PHP program that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive files outside the intended directory. This vulnerability requires user interaction but poses significant risk to confidentiality with no available patch at this time.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) allowing unauthenticated remote code execution through crafted include paths.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

QantumThemes Kentha Elementor Widgets kentha-elementor is affected by php remote file inclusion (CVSS 7.5).

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) allowing unauthenticated attackers to include and execute arbitrary remote PHP files.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability enabling unauthenticated remote code execution through crafted include paths.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

wphocus My auctions allegro my-auctions-allegro-free-edition is affected by php remote file inclusion (CVSS 7.5).

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Pavothemes Triply versions 2.4.7 and earlier contain a local file inclusion vulnerability in PHP that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters to bypass access controls and potentially execute code or expose sensitive data. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Pavothemes Freshio versions 2.4.2 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated remote attackers to read sensitive files on affected systems. The vulnerability stems from improper validation of file paths in include/require statements, enabling disclosure of confidential information such as configuration files and source code. This vulnerability currently lacks a published patch and has a low exploitation prevalence rate.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Werkstatt werkstatt allows PHP Local File Inclusion.This issue affects Werkstatt: from n/a through < 4.8.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North north-wp allows PHP Local File Inclusion.This issue affects North: from n/a through <= 5.7.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Malta malta allows PHP Local File Inclusion.This issue affects Malta: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hobo hobo allows PHP Local File Inclusion.This issue affects Hobo: from n/a through <= 1.0.10. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Modern Housewife modernhousewife allows PHP Local File Inclusion.This issue affects Modern Housewife: from n/a through <= 1.0.12. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Yolox yolox allows PHP Local File Inclusion.This issue affects Yolox: from n/a through <= 1.0.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pearson Specter pearsonspecter allows PHP Local File Inclusion.This issue affects Pearson Specter: from n/a through <= 1.11.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Piqes piqes allows PHP Local File Inclusion.This issue affects Piqes: from n/a through <= 1.0.11. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Prider prider allows PHP Local File Inclusion.This issue affects Prider: from n/a through <= 1.1.3.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes TanTum tantum allows PHP Local File Inclusion.This issue affects TanTum: from n/a through <= 1.1.13. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tornados tornados allows PHP Local File Inclusion.This issue affects Tornados: from n/a through <= 2.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion.This issue affects Muji: from n/a through <= 1.2.0. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tails tails allows PHP Local File Inclusion.This issue affects Tails: from n/a through <= 1.4.12. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Indoor Plants indoor-plants allows PHP Local File Inclusion.This issue affects Indoor Plants: from n/a through <= 1.2.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Snow Mountain snowmountain allows PHP Local File Inclusion.This issue affects Snow Mountain: from n/a through <= 1.4.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pets Land petsland allows PHP Local File Inclusion.This issue affects Pets Land: from n/a through <= 1.2.8. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Weedles weedles allows PHP Local File Inclusion.This issue affects Weedles: from n/a through <= 1.1.12. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MoveMe moveme allows PHP Local File Inclusion.This issue affects MoveMe: from n/a through <= 1.2.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes uReach ureach allows PHP Local File Inclusion.This issue affects uReach: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion.This issue affects DiveIt: from n/a through <= 1.4.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes PartyMaker partymaker allows PHP Local File Inclusion.This issue affects PartyMaker: from n/a through <= 1.1.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Eldon eldon allows PHP Local File Inclusion.This issue affects Eldon: from n/a through <= 1.0. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Overworld overworld allows PHP Local File Inclusion.This issue affects Overworld: from n/a through <= 1.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Töbel tobel allows PHP Local File Inclusion.This issue affects Töbel: from n/a through <= 1.6. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech MaxShop sw_maxshop allows PHP Local File Inclusion.This issue affects MaxShop: from n/a through <= 3.6.20. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab iRecco Core irecco-core allows PHP Local File Inclusion.This issue affects iRecco Core: from n/a through <= 1.3.6. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Vango vango allows PHP Local File Inclusion.This issue affects Vango: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]

PHP Golang LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Rashy rashy allows PHP Local File Inclusion.This issue affects Rashy: from n/a through <= 1.1.3. [CVSS 8.2 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Lindo lindo allows PHP Local File Inclusion.This issue affects Lindo: from n/a through <= 1.2.5. [CVSS 8.2 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Dekoro dekoro allows PHP Local File Inclusion.This issue affects Dekoro: from n/a through <= 1.0.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bfres bfres allows PHP Local File Inclusion.This issue affects Bfres: from n/a through <= 1.2.1. [CVSS 8.2 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bailly bailly allows PHP Local File Inclusion.This issue affects Bailly: from n/a through <= 1.3.4. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Hyori hyori allows PHP Local File Inclusion.This issue affects Hyori: from n/a through <= 1.3.6. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Pippo pippo allows PHP Local File Inclusion.This issue affects Pippo: from n/a through <= 1.2.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Search & Go search-and-go allows PHP Local File Inclusion.This issue affects Search & Go: from n/a through <= 2.8. [CVSS 8.1 HIGH]

PHP Golang LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

XpeedStudio Bajaar - Highly Customizable WooCommerce WordPress Theme bajaar is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Miion miion allows PHP Local File Inclusion.This issue affects Miion: from n/a through <= 1.2.7. [CVSS 7.5 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in temash Barberry barberry allows PHP Local File Inclusion.This issue affects Barberry: from n/a through <= 2.9.9.87. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jegtheme JNews - Pay Writer jnews-pay-writer allows PHP Local File Inclusion.This issue affects JNews - Pay Writer: from n/a through <= 11.0.0. [CVSS 7.5 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeGoods Photography photography allows PHP Local File Inclusion.This issue affects Photography: from n/a through < 7.7.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion.This issue affects Listivo Core: from n/a through <= 2.3.77. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion.This issue affects MyHome Core: from n/a through <= 4.1.0. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scriptsbundle AdForest adforest allows PHP Local File Inclusion.This issue affects AdForest: from n/a through <= 6.0.11. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle theaisle allows PHP Local File Inclusion.This issue affects The Aisle: from n/a through < 2.9.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Powerlift powerlift allows PHP Local File Inclusion.This issue affects Powerlift: from n/a through < 3.2.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion.This issue affects Biagiotti: from n/a through < 3.5.2. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Mella mella allows PHP Local File Inclusion.This issue affects Mella: from n/a through <= 1.2.29. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bslthemes Myour myour allows PHP Local File Inclusion.This issue affects Myour: from n/a through <= 1.5.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes WerkStatt Plugin werkstatt-plugin allows PHP Local File Inclusion.This issue affects WerkStatt Plugin: from n/a through <= 1.6.6. [CVSS 7.5 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) that allows unauthenticated attackers to execute arbitrary remote PHP code on the server.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability allowing attackers to include malicious remote PHP files for unauthenticated code execution.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) enabling unauthenticated remote code execution through crafted include paths.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability allowing unauthenticated attackers to include and execute arbitrary remote PHP files on the server.

PHP LFI Information Disclosure
NVD
EPSS 1% CVSS 7.2
HIGH This Week

Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. [CVSS 7.2 HIGH]

PHP RCE LFI +2
NVD
EPSS 0% CVSS 6.2
MEDIUM POC This Month

GeoVision GeoWebServer 5.3.3 contains multiple vulnerabilities including local file inclusion, cross-site scripting, and remote code execution through improper input sanitization. [CVSS 6.2 MEDIUM]

RCE XSS LFI +1
NVD Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL Act Now

News and Blog Designer Bundle for WordPress (through 1.1) has LFI via the template parameter, enabling unauthenticated arbitrary PHP file inclusion and execution.

WordPress PHP LFI
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through crafted annotation content with file path specifications. [CVSS 5.5 MEDIUM]

LFI Mpdf
NVD Exploit-DB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

YouPHPTube <= 7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the 'lang' parameter in GET requests. [CVSS 5.5 MEDIUM]

PHP LFI Path Traversal +1
NVD Exploit-DB
EPSS 0% CVSS 7.5
HIGH This Week

PHP Local File Inclusion in G5Theme Handmade Framework versions up to 3.9 enables authenticated attackers to read arbitrary files on the server through improper validation of include/require statements. An attacker with valid credentials can exploit this vulnerability to access sensitive configuration files, source code, or other protected data without requiring user interaction. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Hendon hendon allows PHP Local File Inclusion.This issue affects Hendon: from n/a through < 1.7. [CVSS 8.1 HIGH]

PHP LFI Hendon
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3. [CVSS 8.1 HIGH]

PHP LFI Curly
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Optimize optimizewp allows PHP Local File Inclusion.This issue affects Optimize: from n/a through < 2.4. [CVSS 8.1 HIGH]

PHP LFI Optimize
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Corpkit corpkit allows PHP Local File Inclusion.This issue affects Corpkit: from n/a through <= 2.0. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Neo Ocular WordPress theme (before 1.2) allows PHP Local File Inclusion through improper filename control in include/require statements.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Typify WordPress theme (through 3.0.2) allows PHP Local File Inclusion via improper filename control.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mitech WordPress theme (through 2.3.4) allows PHP Local File Inclusion through improper filename control in include/require statements.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Moody WordPress theme (through 2.7.3) allows PHP Local File Inclusion through improper filename control.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Atlas WordPress theme (through 2.1.0) allows PHP Local File Inclusion through improper filename control in PHP include statements.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Navian WordPress theme (through 1.5.4) allows PHP Local File Inclusion through improper filename control.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Brook WordPress theme (through 2.8.9) allows PHP Local File Inclusion via improper filename control in PHP include statements.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AeroLand WordPress theme (through 1.6.6) allows PHP Local File Inclusion through improper filename control. Unauthenticated RCE possible via include chain.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Oshine WordPress theme (through 7.2.7) allows PHP Local File Inclusion via improper filename control in include/require statements.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

OchaHouse WordPress theme (through 2.2.8) allows PHP Local File Inclusion via improper filename control. Same vulnerability class as CVE-2025-12549.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Rozy Flower Shop WordPress theme (through 1.2.25) allows PHP Local File Inclusion through improper filename control in include/require statements. Unauthenticated RCE possible.

PHP LFI Information Disclosure
NVD
Prev Page 6 of 14 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
1172

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy