Skip to main content

Local File Inclusion

web HIGH

Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's `include()`, `require()`, or `fopen()`.

How It Works

Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's include(), require(), or fopen(). The attacker manipulates file path parameters—often using directory traversal sequences like ../ or absolute paths—to access files outside the intended directory. For example, a URL parameter ?page=dashboard might be vulnerable if changed to ?page=../../../../etc/passwd.

Modern LFI exploitation extends beyond simple file reading. Attackers leverage PHP wrappers like php://filter to apply encoding filters that bypass content restrictions. The php://filter/convert.base64-encode wrapper allows reading PHP source code without execution, exposing credentials and logic flaws. More sophisticated attacks chain multiple filters together to construct executable PHP code from seemingly harmless character transformations.

Log poisoning escalates LFI to remote code execution by injecting malicious PHP code into log files (access logs, error logs, email logs), then using the LFI vulnerability to include and execute those logs. Attackers can also abuse data wrappers (data://text/plain,<?php system($_GET['cmd']);?>) or expect:// protocol handlers depending on server configuration.

Impact

  • Source code disclosure — exposing application logic, API keys, database credentials, and proprietary algorithms
  • Configuration file access — reading database connection strings, encryption keys, cloud service credentials from config files
  • Sensitive data extraction — accessing /etc/passwd, SSH keys, user data files, session tokens
  • Remote code execution — through log poisoning, wrapper abuse, or including uploaded files containing malicious code
  • Lateral movement preparation — gathering internal network details, service configurations, and authentication mechanisms

Real-World Examples

The osTicket CVE-2022-22200 vulnerability demonstrated advanced filter chain exploitation where attackers injected a PHP filter chain into a ticket's CSS style attribute. The malicious payload bypassed the htmLawed HTML sanitizer using strategic whitespace, then exploited mPDF's processing of php:// wrappers after URL-decoding. This allowed arbitrary file reading that escalated to RCE through chained filter operations.

phpMyAdmin has experienced multiple LFI vulnerabilities where attackers manipulated theme selection or language file parameters to include arbitrary files, often combining this with session file poisoning to achieve code execution. Content management systems like WordPress plugins frequently expose LFI through template loading mechanisms where developers fail to validate file path inputs properly.

Mitigation

  • Eliminate dynamic file inclusion — use routing tables or switch statements mapping IDs to hardcoded file paths instead of concatenating user input
  • Strict allowlisting — maintain explicit arrays of permitted files; validate user input against this list, never use input directly in paths
  • Disable dangerous PHP wrappers — set allow_url_include=0 and allow_url_fopen=0 in php.ini; disable expect://, phar://, and data:// wrappers
  • Implement path canonicalization — resolve paths with realpath(), verify they remain within allowed directories using strpos() checks
  • Apply least privilege — run web applications with minimal file system permissions, preventing access to sensitive system files
  • Input validation — reject any input containing ../, absolute paths, null bytes, or protocol specifiers

Recent CVEs (1172)

EPSS 7% CVSS 10.0
CRITICAL POC PATCH Act Now

n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical CVSS 10.0 vulnerability enabling remote attackers to read sensitive files from the server, with potential for further compromise. PoC available.

Information Disclosure Path Traversal LFI +2
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Group Hope charity-is-hope allows PHP Local File Inclusion.This issue affects Hope: from n/a through 3.0.0. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JanStudio Gecko allows PHP Local File Inclusion.This issue affects Gecko: from n/a through 1.9.8. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mojoomla WPCHURCH allows PHP Local File Inclusion.This issue affects WPCHURCH: from n/a through 2.7.0. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0. [CVSS 7.5 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VanKarWai Calafate calafate allows PHP Local File Inclusion.This issue affects Calafate: from n/a through <= 1.7.7. [CVSS 7.5 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Jwsthemes Issabella allows PHP Local File Inclusion.This issue affects Issabella: from n/a through 1.1.2. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Frappé allows PHP Local File Inclusion.This issue affects Frappé: from n/a through 1.8. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes FreeAgent allows PHP Local File Inclusion.This issue affects FreeAgent: from n/a through 2.1.2. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion vulnerability in MadrasThemes MAS Videos WordPress plugin versions up to 1.3.4 allows unauthenticated attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. The vulnerability affects the masvideos plugin and has been tracked by Patchstack with an EPSS score of 0.17% (38th percentile), indicating low exploitation probability despite the presence of information disclosure risk.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Lekker lekker allows PHP Local File Inclusion.This issue affects Lekker: from n/a through <= 1.8.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows PHP Local File Inclusion.This issue affects Responsive Posts Carousel Pro: from n/a through <= 15.1.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in Edge-Themes Cinerama WordPress theme versions ≤2.9 enables unauthenticated remote attackers to read arbitrary server files through PHP file inclusion weaknesses. Despite the CVSS critical rating of 9.8, EPSS probability is low (0.17%, 38th percentile) with no public exploit identified at time of analysis. The vulnerability allows server-side file reading which could expose configuration files, credentials, and sensitive data without authentication requirements.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.15.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Puca puca allows PHP Local File Inclusion.This issue affects Puca: from n/a through <= 2.6.39.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Greenmart greenmart allows PHP Local File Inclusion.This issue affects Greenmart: from n/a through <= 4.2.11.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects WordPress Social Login and Register: from n/a through <= 7.7.0.

WordPress LFI PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in reDim GmbH CookieHint WP plugin versions up to 1.0.0 allows unauthenticated attackers to read arbitrary files from the server filesystem through improper handling of filename parameters in PHP include/require statements. The vulnerability enables information disclosure by permitting attackers to access sensitive configuration files, source code, and other locally stored data without authentication. EPSS score of 0.14% indicates relatively low exploitation probability at time of analysis, and no public exploit code or active exploitation has been confirmed.

Information Disclosure PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in CedCommerce Integration for Good Market WordPress plugin versions 1.0.6 and earlier allows unauthenticated attackers to read arbitrary files from the server via improper filename validation in PHP include/require statements. The vulnerability affects a popular e-commerce integration plugin used by WooCommerce merchants, exposing sensitive configuration files, database credentials, and other sensitive data accessible to the web server process. EPSS probability of 0.14% suggests low real-world exploitation likelihood despite the information disclosure impact.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Unlock Lite subscribe-to-unlock-lite allows PHP Local File Inclusion.This issue affects Subscribe to Unlock Lite: from n/a through <= 1.3.0.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion.This issue affects Zota: from n/a through <= 1.3.14.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Bookory bookory allows PHP Local File Inclusion.This issue affects Bookory: from n/a through <= 2.2.7.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nawawi Jamili Docket Cache docket-cache allows PHP Local File Inclusion.This issue affects Docket Cache: from n/a through <= 24.07.03.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion vulnerability in CodexThemes TheGem Theme Elements (for Elementor) WordPress plugin through version 5.10.5.1 allows attackers to read arbitrary files from the server via improper control of filename parameters in PHP include/require statements. The vulnerability carries a low EPSS score of 0.17% (38th percentile), indicating minimal real-world exploitation probability despite being a classic PHP file inclusion flaw affecting an Elementor page builder plugin.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in Nika WordPress theme through version 1.2.14 allows authenticated attackers with low-level privileges to read arbitrary files on the server via improper filename validation in PHP include/require statements. EPSS score of 0.17% (38th percentile) indicates low predicted exploitation probability. No public exploit code or active exploitation confirmed at time of analysis, though Patchstack's disclosure suggests vulnerability details are documented.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion (LFI) vulnerability in the Diza WordPress theme (≤1.3.15) enables low-privileged authenticated attackers to include arbitrary local files, potentially leading to remote code execution, sensitive data exposure, or complete site compromise. The CVSS score of 7.5 reflects high complexity network-based attack requiring authentication. EPSS exploitation probability is low (0.17%, 38th percentile), with no confirmed active exploitation or public proof-of-concept at time of analysis, though the vulnerability has been cataloged by Patchstack's security research team.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in shinetheme Traveler traveler allows PHP Local File Inclusion.This issue affects Traveler: from n/a through < 3.2.6.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.This issue affects Jannah: from n/a through <= 7.6.0.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in Task Manager WordPress plugin versions ≤3.0.2 enables authenticated attackers with low privileges to read arbitrary files from the web server through improper filename control in PHP include/require statements. Exploitation requires network access with high attack complexity. EPSS score of 0.06% (18th percentile) indicates low probability of mass exploitation. No active exploitation confirmed in CISA KEV at time of analysis, though Patchstack vulnerability database documents this as a disclosed LFI vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in Ray Enterprise Translation WordPress plugin through version 1.7.1 allows remote attackers to read arbitrary files on the server via path traversal in PHP include statements. Despite the moderate CVSS score of 7.5, the EPSS probability of 0.06% (20th percentile) indicates minimal observed exploitation activity in the wild. Patchstack has cataloged this vulnerability with proof-of-concept details, requiring attackers to overcome high complexity conditions and user interaction to achieve impact across confidentiality, integrity, and availability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Processby Anchor smooth scroll anchor-smooth-scroll allows PHP Local File Inclusion.This issue affects Anchor smooth scroll: from n/a through <= 1.0.2.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Riode WordPress theme versions ≤1.6.23 allows remote unauthenticated attackers to read arbitrary files from the web server filesystem, potentially exposing configuration files, credentials, and source code. The vulnerability stems from improper filename control in PHP include/require statements. Despite the high CVSS score of 8.1, EPSS indicates only 0.06% exploitation probability (18th percentile), suggesting limited attacker interest. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.This issue affects MinimogWP: from n/a through <= 3.9.6.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Giardino giardino allows PHP Local File Inclusion.This issue affects Giardino: from n/a through <= 1.1.10.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Katelyn katelyn allows PHP Local File Inclusion.This issue affects Katelyn: from n/a through <= 1.0.10.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Pinevale pinevale allows PHP Local File Inclusion.This issue affects Pinevale: from n/a through <= 1.0.14.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Renewal renewal allows PHP Local File Inclusion.This issue affects Renewal: from n/a through <= 1.2.2.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rosalinda rosalinda allows PHP Local File Inclusion.This issue affects Rosalinda: from n/a through <= 1.2.3.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Fabrica fabrica allows PHP Local File Inclusion.This issue affects Fabrica: from n/a through <= 1.8.1.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes OnLeash onleash allows PHP Local File Inclusion.This issue affects OnLeash: from n/a through <= 1.5.2.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MaxCube maxcube allows PHP Local File Inclusion.This issue affects MaxCube: from n/a through <= 1.3.1.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes W&D wd allows PHP Local File Inclusion.This issue affects W&D: from n/a through <= 1.0.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Rare Radio rareradio allows PHP Local File Inclusion.This issue affects Rare Radio: from n/a through <= 1.0.15.1.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Panda panda allows PHP Local File Inclusion.This issue affects Panda: from n/a through <= 1.21.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Soleil soleil allows PHP Local File Inclusion.This issue affects Soleil: from n/a through <= 1.17.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Tripster tripster allows PHP Local File Inclusion.This issue affects Tripster: from n/a through <= 1.0.10.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes IPharm ipharm allows PHP Local File Inclusion.This issue affects IPharm: from n/a through <= 1.2.3.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes HeartStar heartstar allows PHP Local File Inclusion.This issue affects HeartStar: from n/a through <= 1.0.14.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Fribbo fribbo allows PHP Local File Inclusion.This issue affects Fribbo: from n/a through <= 1.1.0.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Wanderic wanderic allows PHP Local File Inclusion.This issue affects Wanderic: from n/a through <= 1.0.10.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chinchilla chinchilla allows PHP Local File Inclusion.This issue affects Chinchilla: from n/a through <= 1.16.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Lione lione allows PHP Local File Inclusion.This issue affects Lione: from n/a through <= 1.16.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Spock spock allows PHP Local File Inclusion.This issue affects Spock: from n/a through <= 1.17.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Aromatica aromatica allows PHP Local File Inclusion.This issue affects Aromatica: from n/a through <= 1.8.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Athos athos allows PHP Local File Inclusion.This issue affects Athos: from n/a through <= 1.9.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Vocal vocal allows PHP Local File Inclusion.This issue affects Vocal: from n/a through <= 1.12.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes EcoGrow ecogrow allows PHP Local File Inclusion.This issue affects EcoGrow: from n/a through <= 1.7.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Manufactory manufactory allows PHP Local File Inclusion.This issue affects Manufactory: from n/a through <= 1.4.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Agricola agricola allows PHP Local File Inclusion.This issue affects Agricola: from n/a through <= 1.1.0.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Dwell dwell allows PHP Local File Inclusion.This issue affects Dwell: from n/a through <= 1.7.0.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Fabric fabric allows PHP Local File Inclusion.This issue affects Fabric: from n/a through <= 1.5.0.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Basil basil allows PHP Local File Inclusion.This issue affects Basil: from n/a through <= 1.3.12.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Tacticool tacticool allows PHP Local File Inclusion.This issue affects Tacticool: from n/a through <= 1.0.13.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Catamaran catamaran allows PHP Local File Inclusion.This issue affects Catamaran: from n/a through <= 1.15.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Lunna lunna allows PHP Local File Inclusion.This issue affects Lunna: from n/a through <= 1.15.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes The Gig thegig allows PHP Local File Inclusion.This issue affects The Gig: from n/a through <= 1.18.0.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Anubis anubis allows PHP Local File Inclusion.This issue affects Anubis: from n/a through <= 1.25.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Prisma prisma allows PHP Local File Inclusion.This issue affects Prisma: from n/a through <= 1.10.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Palatio palatio allows PHP Local File Inclusion.This issue affects Palatio: from n/a through <= 1.6.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes FitFlex fitflex allows PHP Local File Inclusion.This issue affects FitFlex: from n/a through <= 1.6.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Pantry pantry allows PHP Local File Inclusion.This issue affects Pantry: from n/a through <= 1.4.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes HealthHub healthhub allows PHP Local File Inclusion.This issue affects HealthHub: from n/a through <= 1.3.0.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Otaku otaku allows PHP Local File Inclusion.This issue affects Otaku: from n/a through <= 1.8.0.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Integro integro allows PHP Local File Inclusion.This issue affects Integro: from n/a through <= 1.8.0.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Good Mood good-mood allows PHP Local File Inclusion.This issue affects Good Mood: from n/a through <= 1.16.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Alright alright allows PHP Local File Inclusion.This issue affects Alright: from n/a through <= 1.6.1.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tourimo tourimo allows PHP Local File Inclusion.This issue affects Tourimo: from n/a through <= 1.2.3.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Sanger sanger allows PHP Local File Inclusion.This issue affects Sanger: from n/a through <= 1.24.0.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Playful playful allows PHP Local File Inclusion.This issue affects Playful: from n/a through <= 1.19.0.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Towny towny allows PHP Local File Inclusion.This issue affects Towny: from n/a through <= 1.16.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes The Flash theflash allows PHP Local File Inclusion.This issue affects The Flash: from n/a through <= 1.15.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pathfinder pathfinder allows PHP Local File Inclusion.This issue affects Pathfinder: from n/a through <= 1.16.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Festy festy allows PHP Local File Inclusion.This issue affects Festy: from n/a through <= 1.13.0.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Algenix algenix allows PHP Local File Inclusion.This issue affects Algenix: from n/a through <= 1.0.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Hygia hygia allows PHP Local File Inclusion.This issue affects Hygia: from n/a through <= 1.16.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion (LFI) in BZOTheme Monki WordPress theme versions through 2.0.5 allows unauthenticated remote attackers to include and execute arbitrary PHP files on the server, potentially leading to remote code execution, information disclosure, or complete system compromise. Despite the high 8.1 CVSS score, real-world exploitation probability remains low (EPSS 0.17%, 38th percentile) with no confirmed active exploitation or public exploit code identified at time of analysis. The vulnerability stems from improper filename validation in PHP include/require statements, classified as CWE-98.

WordPress PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hanani hanani allows PHP Local File Inclusion.This issue affects Hanani: from n/a through <= 1.2.11.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Jack Well jack-well allows PHP Local File Inclusion.This issue affects Jack Well: from n/a through <= 1.0.14.

PHP Information Disclosure LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ludos Paradise ludos-paradise allows PHP Local File Inclusion.This issue affects Ludos Paradise: from n/a through <= 2.1.3.

PHP Information Disclosure LFI
NVD
Prev Page 7 of 14 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
1172

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy