Local File Inclusion
Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's `include()`, `require()`, or `fopen()`.
How It Works
Local File Inclusion vulnerabilities occur when an application accepts user-controlled input to specify which file should be loaded or executed, typically through functions like PHP's include(), require(), or fopen(). The attacker manipulates file path parameters—often using directory traversal sequences like ../ or absolute paths—to access files outside the intended directory. For example, a URL parameter ?page=dashboard might be vulnerable if changed to ?page=../../../../etc/passwd.
Modern LFI exploitation extends beyond simple file reading. Attackers leverage PHP wrappers like php://filter to apply encoding filters that bypass content restrictions. The php://filter/convert.base64-encode wrapper allows reading PHP source code without execution, exposing credentials and logic flaws. More sophisticated attacks chain multiple filters together to construct executable PHP code from seemingly harmless character transformations.
Log poisoning escalates LFI to remote code execution by injecting malicious PHP code into log files (access logs, error logs, email logs), then using the LFI vulnerability to include and execute those logs. Attackers can also abuse data wrappers (data://text/plain,<?php system($_GET['cmd']);?>) or expect:// protocol handlers depending on server configuration.
Impact
- Source code disclosure — exposing application logic, API keys, database credentials, and proprietary algorithms
- Configuration file access — reading database connection strings, encryption keys, cloud service credentials from config files
- Sensitive data extraction — accessing
/etc/passwd, SSH keys, user data files, session tokens - Remote code execution — through log poisoning, wrapper abuse, or including uploaded files containing malicious code
- Lateral movement preparation — gathering internal network details, service configurations, and authentication mechanisms
Real-World Examples
The osTicket CVE-2022-22200 vulnerability demonstrated advanced filter chain exploitation where attackers injected a PHP filter chain into a ticket's CSS style attribute. The malicious payload bypassed the htmLawed HTML sanitizer using strategic whitespace, then exploited mPDF's processing of php:// wrappers after URL-decoding. This allowed arbitrary file reading that escalated to RCE through chained filter operations.
phpMyAdmin has experienced multiple LFI vulnerabilities where attackers manipulated theme selection or language file parameters to include arbitrary files, often combining this with session file poisoning to achieve code execution. Content management systems like WordPress plugins frequently expose LFI through template loading mechanisms where developers fail to validate file path inputs properly.
Mitigation
- Eliminate dynamic file inclusion — use routing tables or switch statements mapping IDs to hardcoded file paths instead of concatenating user input
- Strict allowlisting — maintain explicit arrays of permitted files; validate user input against this list, never use input directly in paths
- Disable dangerous PHP wrappers — set
allow_url_include=0andallow_url_fopen=0in php.ini; disableexpect://,phar://, anddata://wrappers - Implement path canonicalization — resolve paths with
realpath(), verify they remain within allowed directories usingstrpos()checks - Apply least privilege — run web applications with minimal file system permissions, preventing access to sensitive system files
- Input validation — reject any input containing
../, absolute paths, null bytes, or protocol specifiers
Recent CVEs (1172)
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Kings & Queens kings-queens allows PHP Local File Inclusion.This issue affects Kings & Queens: from n/a through <= 1.1.16.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Gracioza gracioza allows PHP Local File Inclusion.This issue affects Gracioza: from n/a through <= 1.0.15.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mamita mamita allows PHP Local File Inclusion.This issue affects Mamita: from n/a through <= 1.0.9.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Militarology militarology allows PHP Local File Inclusion.This issue affects Militarology: from n/a through <= 1.0.15.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes ShieldGroup shieldgroup allows PHP Local File Inclusion.This issue affects ShieldGroup: from n/a through <= 2.13.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm Core stockholm-core allows PHP Local File Inclusion.This issue affects Stockholm Core: from n/a through <= 2.4.6.
Local file inclusion in PenciDesign Soledad WordPress theme versions through 8.7.0 allows authenticated attackers with low privileges to include and execute arbitrary PHP files via improper filename control in include/require statements. Attack complexity is high (AC:H), requiring specific server configuration or authenticated access to exploit. No active exploitation confirmed at time of analysis, but vulnerability class (CWE-98) is commonly targeted once POC becomes available. EPSS data not provided; exploitation status unknown beyond vendor disclosure.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.This issue affects Hub Core: from n/a through <= 5.0.8.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove EduMall edumall allows PHP Local File Inclusion.This issue affects EduMall: from n/a through <= 4.4.7.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Turitor turitor allows PHP Local File Inclusion.This issue affects Turitor: from n/a through < 1.5.3.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Opal_WP Fashion fashion2 allows PHP Local File Inclusion.This issue affects Fashion: from n/a through < 5.3.0.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Digiqole digiqole allows PHP Local File Inclusion.This issue affects Digiqole: from n/a through < 2.2.7.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress Sailing sailing allows PHP Local File Inclusion.This issue affects Sailing: from n/a through < 4.4.6.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Opal_WP ekommart ekommart allows PHP Local File Inclusion.This issue affects ekommart: from n/a through < 4.3.1.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NooTheme Jobmonster Elementor Addon jobmonster-addon allows PHP Local File Inclusion.This issue affects Jobmonster Elementor Addon: from n/a through <= 1.1.4.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Exhibz exhibz allows PHP Local File Inclusion.This issue affects Exhibz: from n/a through <= 3.0.9.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NooTheme Jobmonster noo-jobmonster allows PHP Local File Inclusion.This issue affects Jobmonster: from n/a through <= 4.8.2.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Select Core select-core allows PHP Local File Inclusion.This issue affects Select Core: from n/a through < 2.6.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion.This issue affects Wilmër: from n/a through < 3.5.
Local File Inclusion in Dream-Theme's The7 WordPress theme (versions prior to 12.8.1.1) allows authenticated attackers with low privileges to read arbitrary server files through improper filename validation in PHP include statements. With a 0.17% EPSS score and no confirmed active exploitation, this represents a moderate risk primarily in shared hosting environments where authenticated users exist. The 7.5 CVSS score reflects high confidentiality and integrity impact, though exploitation requires high attack complexity and authenticated access.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AndonDesign UDesign Core u-design-core allows PHP Local File Inclusion.This issue affects UDesign Core: from n/a through <= 4.14.0.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows PHP Local File Inclusion.This issue affects Ronneby Theme Core: from n/a through <= 1.5.68.
The My auctions allegro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.32 via the 'controller' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in MatrixAddons Easy Invoice easy-invoice allows PHP Local File Inclusion.1.4. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Category and Product Woocommerce Tabs plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Local file inclusion in Alloggio - Hotel Booking WordPress theme through version 1.8 allows remote attackers to read arbitrary files on the server and potentially execute code by manipulating PHP include/require statements. The vulnerability stems from improper filename validation in file inclusion operations, enabling attackers to traverse directories and access sensitive files or configuration data. Exploitation probability is low (EPSS 0.07%, 22nd percentile) with no confirmed active exploitation or public proof-of-concept at time of analysis.
Local File Inclusion (LFI) in Simple Payment WordPress plugin versions ≤2.4.6 allows remote attackers to include and execute arbitrary local files via PHP file inclusion flaws. Attack requires high complexity (AC:H) and user interaction (UI:R), suggesting exploitation depends on specific conditions like attacker-controllable parameters combined with victim action. EPSS score of 0.04% (13th percentile) indicates low observed exploitation probability in the wild. No CISA KEV listing or public exploit code identified at time of analysis, limiting immediate threat surface despite 7.5 CVSS score.
Remote file inclusion in Elated-Themes Savory WordPress theme through version 2.5 allows network-based attackers to execute arbitrary PHP code by manipulating file inclusion statements. Despite a CVSS score of 8.1, real-world exploitation risk appears low with an EPSS probability of 0.03% (8th percentile) and no evidence of active exploitation or public proof-of-concept code. The vulnerability classification as CWE-98 combined with conflicting tags (both RFI and LFI referenced) requires clarification - the attack complexity rating of High (AC:H) suggests non-trivial prerequisites for successful exploitation despite the network attack vector.
Local file inclusion in Revolution theme versions before 2.5.8 allows authenticated attackers with low privileges to include and execute arbitrary PHP files on the server via manipulated file paths. The vulnerability exploits improper validation of file inclusion parameters, enabling remote code execution when combined with file upload or log poisoning. EPSS score of 0.05% suggests low probability of mass exploitation, and no public POC or active exploitation (non-KEV) is confirmed at time of analysis.
Local file inclusion in WordPress Academist theme versions prior to 1.3 enables remote attackers to include arbitrary PHP files from the server filesystem, leading to potential information disclosure, code execution, and full site compromise. The vulnerability stems from improper filename validation in PHP include/require statements. Despite a CVSS score of 8.1, the EPSS probability is only 0.05% (16th percentile), suggesting attackers have not widely adopted this technique, though the attack complexity is rated high. No confirmed active exploitation or public exploit code identified at time of analysis.
Local file inclusion in Houzez WordPress theme versions before 4.2.0 allows remote unauthenticated attackers to include and execute arbitrary PHP files through improper filename control in include/require statements. The vulnerability carries high CVSS severity (8.1) due to potential for remote code execution, though EPSS probability remains low (0.06%, 20th percentile) indicating limited observed exploitation attempts. No active exploitation confirmed by CISA KEV at time of analysis.
Local file inclusion in TheGem Theme Elements (for WPBakery) plugin versions ≤5.10.5.1 allows remote attackers to include and execute arbitrary PHP files without authentication. Despite the high CVSS 8.1 score and network attack vector, the 'AC:H' (high complexity) rating and extremely low EPSS (0.05%, 16th percentile) indicate this requires specific conditions to exploit. No active exploitation has been confirmed - CISA KEV does not list this vulnerability, and EPSS data suggests minimal real-world targeting. The vulnerability stems from improper validation of file paths in PHP include/require statements (CWE-98), a common WordPress plugin weakness.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme ITok itok.1.42. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Famita famita allows PHP Local File Inclusion.54. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPClever WPC Product Options for WooCommerce wpc-product-options allows PHP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce premmerce allows PHP Local File Inclusion.3.19. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Alexander AnyComment anycomment allows PHP Local File Inclusion.3.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Local file inclusion in WooCommerce Store Toolkit plugin versions up to 2.4.3 allows network-based attackers to read arbitrary files from the WordPress server via improper filename control in PHP include/require statements. Despite network-based attack vector (AV:N), the vulnerability requires high attack complexity and user interaction (AC:H/UI:R), limiting exploitation scenarios. EPSS score of 0.08% (23rd percentile) suggests low likelihood of widespread exploitation in the wild. No CISA KEV listing or public POC identified at time of analysis, though Patchstack has documented the vulnerability.
Local file inclusion in Store Exporter (WooCommerce plugin) through version 2.7.6 allows remote attackers with user interaction to read arbitrary files and potentially execute code via PHP file inclusion. Despite the 7.5 CVSS score, exploitation requires high attack complexity and user interaction, with an EPSS probability of only 0.08% (23rd percentile), indicating limited real-world exploitation likelihood. No active exploitation or public POC identified at time of analysis.
Local File Inclusion in WordPress Favorites plugin versions through 2.3.6 enables network-based attackers to read arbitrary files from the server's filesystem through crafted PHP include statements. Despite the CWE-98 classification suggesting remote file inclusion, the vulnerability title and tags confirm this is actually an LFI attack requiring user interaction (UI:R) and high attack complexity (AC:H). EPSS score of 0.08% (23rd percentile) indicates low probability of mass exploitation, and no active exploitation or public POC has been identified at time of analysis.
Local File Inclusion in WP Customer Area plugin version 8.2.7 and earlier allows remote attackers to read arbitrary files on the server through improper validation of file paths in PHP include/require statements. The attack requires high complexity and user interaction (CVSS AC:H/UI:R), limiting widespread exploitation. EPSS score of 0.08% indicates low observed exploitation probability. No active exploitation confirmed in CISA KEV, though Patchstack has cataloged this vulnerability in their WordPress security database.
Local file inclusion (LFI) in LearnPress Export Import plugin ≤4.0.9 allows remote attackers to read arbitrary files on the server through manipulated PHP include/require statements. Despite CVSS 7.5 severity, real-world risk appears moderate: attack complexity is HIGH (AC:H), requires user interaction (UI:R), and EPSS probability is low (0.08%, 23rd percentile). No active exploitation confirmed and no CISA KEV listing. Patchstack database documents this as an information disclosure vector via LFI, suggesting attackers can access sensitive configuration files, credentials, or application source code.
Local file inclusion in InHype WordPress Theme versions up to 1.5.2 allows remote attackers to read arbitrary server files and potentially execute PHP code without authentication. Despite a high CVSS score of 8.1, the vulnerability has a low EPSS score (0.08%, 23rd percentile) and requires high attack complexity (AC:H), suggesting exploitation requires specific conditions or configuration knowledge. No active exploitation confirmed via CISA KEV, but Patchstack audit team has documented the vulnerability, increasing likelihood of public awareness and attempted exploitation.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx Saxon - Viral Content Blog & Magazine Marketing WordPress Theme saxon. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Local File Inclusion in Simple Contact Forms WordPress plugin (versions ≤1.6.4) allows remote unauthenticated attackers to include arbitrary PHP files from the server's local filesystem via improper filename validation in include/require statements. CVSS rates this 8.1 (High) with high attack complexity (AC:H), but EPSS indicates only 0.08% exploitation probability (23rd percentile), suggesting low real-world targeting. Patchstack classified this as an LFI vulnerability with information disclosure potential, though successful exploitation could escalate to code execution if combined with file upload or log poisoning techniques.
Local file inclusion in Clearblue Ovulation Calculator WordPress plugin versions through 1.2.4 allows remote attackers to read arbitrary files from the webserver. Despite the CWE-98 classification suggesting remote file inclusion, available intelligence confirms this is an LFI vulnerability requiring user interaction and high attack complexity (CVSS AC:H/UI:R). No active exploitation confirmed via CISA KEV. EPSS score of 0.22% indicates low probability of widespread exploitation attempts, though a Patchstack database entry suggests security researchers have documented the flaw.
Local file inclusion in Premmerce Product Search for WooCommerce plugin versions ≤2.2.4 enables remote attackers to read arbitrary files on the server through improper filename control in PHP include/require statements. Exploitation requires high attack complexity and user interaction (AV:N/AC:H/UI:R), suggesting social engineering or specific application state needed to trigger the vulnerability. No active exploitation confirmed (EPSS 0.07%, not in CISA KEV), but represents significant risk for WordPress/WooCommerce sites running this plugin given potential exposure of sensitive configuration files, database credentials, and user data.
Local file inclusion in Premmerce User Roles WordPress plugin ≤1.0.13 allows remote attackers to read arbitrary files and potentially execute code via improper validation of include/require file paths. Attack requires high complexity and user interaction (CVSS AC:H/UI:R), limiting practical exploitation. EPSS score of 0.07% (22nd percentile) indicates very low observed exploitation probability in the wild. No CISA KEV listing or public POC identified. Patchstack security audit disclosed this vulnerability, affecting all versions up to 1.0.13.
Local File Inclusion in Premmerce Wholesale Pricing for WooCommerce plugin (versions ≤1.1.10) allows remote attackers to read arbitrary files and potentially execute PHP code through improper filename validation. Despite the CVSS 7.5 score, real-world risk is moderate: attack complexity is high (AC:H) and requires user interaction (UI:R), limiting opportunistic exploitation. EPSS score of 0.07% (22nd percentile) suggests low probability of widespread exploitation. No active exploitation confirmed (not in CISA KEV) and public exploit code has not been identified at time of analysis.
Local file inclusion in Premmerce Wishlist for WooCommerce plugin ≤1.1.10 enables network attackers to read arbitrary PHP files and potentially execute code through crafted include/require statements. The vulnerability requires high attack complexity and user interaction (CVSS AC:H/UI:R), limiting practical exploitability. EPSS score of 0.07% (22nd percentile) indicates low likelihood of mass exploitation, and no active exploitation is documented in CISA KEV. Patchstack has documented this vulnerability, suggesting security researcher disclosure rather than in-the-wild discovery.
Local File Inclusion in Immocaster WordPress Plugin versions through 1.3.6 enables remote attackers to read arbitrary files on the server or potentially execute code by manipulating file inclusion parameters. Despite the high CVSS score of 8.1, EPSS data indicates only 0.08% exploitation probability (23rd percentile), suggesting limited active targeting. No active exploitation confirmed by CISA KEV, though Patchstack's disclosure indicates researcher awareness. Attack complexity is rated High (AC:H), requiring specific server configurations or precise timing to exploit successfully.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PoloPag PoloPag – Pix Automático para Woocommerce wc-polo-payments. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Local file inclusion (LFI) in Lazy Load Optimizer WordPress plugin (versions through 1.4.7) allows remote unauthenticated attackers to read arbitrary files from the web server through improper PHP include/require statement handling. Despite the 7.5 CVSS score, exploitation requires high attack complexity and user interaction (AV:N/AC:H/PR:N/UI:R), limiting practical weaponization. EPSS score of 0.07% (22nd percentile) indicates very low probability of widespread exploitation. No active exploitation confirmed via CISA KEV, and no public exploit code identified at time of analysis.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Processby Responsive Sidebar responsive-sidebar allows PHP Local File. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Local File Inclusion (LFI) in Leblix WordPress theme versions up to 2.4 allows remote unauthenticated attackers to include and execute arbitrary local files through improper filename control in PHP include/require statements. Despite the network attack vector (AV:N), exploitation requires high complexity conditions (AC:H), potentially involving specific configuration states or input validation bypasses. EPSS score of 0.04% (11th percentile) indicates low observed exploitation probability in the wild, and no CISA KEV listing confirms this remains a theoretical rather than actively exploited vulnerability. The vulnerability permits information disclosure through file content exposure and potentially code execution if attackers can chain LFI with other weaknesses like log poisoning or PHP wrapper abuse.
Local file inclusion vulnerability in Greenify WordPress theme (versions through 2.2) enables remote attackers to read arbitrary files from the web server filesystem, potentially exposing sensitive configuration files, credentials, and application source code. Exploitation requires specific conditions despite the network attack vector, reflected in the high attack complexity (AC:H) rating. EPSS score of 0.08% (23rd percentile) suggests low probability of mass exploitation, and no active exploitation has been confirmed via CISA KEV, though Patchstack has documented the vulnerability details.
Local File Inclusion vulnerability in Zegen WordPress theme versions up to 1.1.9 allows authenticated remote attackers with low privileges to read arbitrary files on the server. Exploitation requires high attack complexity (AC:H), suggesting specific configuration or timing conditions must be met. EPSS score of 0.22% (45th percentile) indicates low probability of widespread exploitation. No public exploit code or active exploitation confirmed at time of analysis.
Local file inclusion in Real Time Validation for Gravity Forms WordPress plugin (versions ≤1.7.0) enables remote attackers to read arbitrary files from the web server, potentially exposing sensitive configuration data, credentials, and source code. Despite the 7.5 CVSS score, real-world risk is moderate: the attack requires high complexity and user interaction (CVSS:AV:N/AC:H/UI:R), and EPSS probability is low at 0.14% (35th percentile). Patchstack vulnerability database confirms the flaw but no CISA KEV listing or public POC has been identified at time of analysis.
Local File Inclusion in Kinsley WordPress theme versions ≤3.4.4 enables remote attackers to read arbitrary server files and potentially execute code through improper filename control in PHP include/require statements. The vulnerability requires high attack complexity (AC:H) but needs no authentication (PR:N), allowing unauthenticated remote exploitation under specific conditions. EPSS score of 0.22% indicates low predicted exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis.
Remote file inclusion in Modal Survey WordPress plugin through version 2.0.2.0.1 allows unauthenticated attackers to include and execute arbitrary PHP files via manipulated include/require statements. Exploitation requires complex conditions (AC:H) but no authentication, potentially leading to complete site compromise. EPSS score of 0.14% (35th percentile) suggests low probability of mass exploitation. Patchstack security audit identified this vulnerability as exploitable for both remote file inclusion and local file inclusion.
Local file inclusion in Dør WordPress theme versions ≤2.4 allows remote attackers to read arbitrary files on the server and potentially achieve code execution through PHP wrapper manipulation. Despite the vulnerability title mentioning 'Remote File Inclusion', the CWE-98 classification and 'PHP Local File Inclusion' description indicate the actual vulnerability enables local file reads. Reported by Patchstack audit team with CVSS 8.1 severity, though EPSS probability of 0.14% (35th percentile) suggests limited observed exploitation activity. No CISA KEV listing indicating no confirmed widespread active exploitation at time of analysis.
Local file inclusion in the Dessau WordPress theme (versions up to 1.8) enables authenticated attackers with low-level privileges to read arbitrary files from the server filesystem via manipulated file inclusion paths. With attack complexity rated high (AC:H), successful exploitation requires specific conditions but grants access to sensitive configuration files, credentials, and potentially enables further attacks including remote code execution if combined with log poisoning or file upload capabilities. EPSS exploitation probability is low (0.14%, 35th percentile) with no confirmed active exploitation or public proof-of-concept code identified at time of analysis.
The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.3.10 via the 'args[extra_template_path]' parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The Elegance Menu plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the 'elegance-menu' attribute of the `elegance-menu` shortcode. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
The WPCOM Member plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.14 via the action parameter in one of its shortcodes. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Consulting Elementor Widgets consulting-elementor-widgets allows PHP Local File Inclusion.This issue affects Consulting Elementor Widgets: from n/a through <= 1.4.2.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Consulting consulting allows PHP Local File Inclusion.This issue affects Consulting: from n/a through < 6.7.5.
Local file inclusion in Majestic Support WordPress plugin versions ≤1.0.7 allows authenticated attackers with low-level privileges to include arbitrary PHP files from the server filesystem via improper filename control in include/require statements. With CVSS 7.5 (High), the vulnerability requires high attack complexity but can lead to complete confidentiality, integrity, and availability compromise. EPSS score of 0.10% (28th percentile) suggests low probability of mass exploitation. No public exploit code identified and not present in CISA KEV at time of analysis, though Patchstack tracking indicates vendor awareness.
Remote file inclusion in ArkSigner AcBakImzala versions before 5.1.4 allows unauthenticated attackers to coerce the PHP application into including attacker-controlled files, resulting in local file inclusion and potential remote code execution. The CVSS 9.8 score reflects network-reachable, no-authentication exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Businext businext allows PHP Local File Inclusion.This issue affects Businext: from n/a through < 2.4.4.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove SmilePure smilepure allows PHP Local File Inclusion.This issue affects SmilePure: from n/a through < 1.8.5.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in xtemos WoodMart woodmart allows PHP Local File Inclusion.This issue affects WoodMart: from n/a through < 8.3.2.
Local file inclusion in Crocoblock JetReviews plugin versions through 3.0.0 allows authenticated attackers with low-level privileges to read arbitrary files on the WordPress server via PHP file inclusion flaws. With EPSS at 0.13% (33rd percentile), exploitation likelihood is currently low. No active exploitation confirmed (not in CISA KEV), but Patchstack has cataloged the vulnerability indicating professional security research attention. Attackers can access sensitive configuration files, credentials, and potentially chain with other vulnerabilities for code execution.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Kevon Adonis WP Abstracts wp-abstracts-manuscripts-manager allows PHP Local File Inclusion.This issue affects WP Abstracts: from n/a through <= 2.7.4.
LFI in JoomSport WordPress plugin.
The Bei Fen - WordPress Backup Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.2 via the 'task'. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The Tiny Bootstrap Elements Light plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.3.34 via the 'language' parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Local file inclusion in Subscribe To Unlock WordPress plugin versions up to 1.1.5 allows authenticated attackers with low privileges to include and execute arbitrary PHP files on the server, potentially leading to remote code execution, sensitive data disclosure, or full site compromise. EPSS score of 0.11% (29th percentile) indicates low probability of mass exploitation. No public exploit code or active exploitation confirmed at time of analysis.
Local file inclusion in Subscribe to Download WordPress plugin versions up to 2.0.9 allows authenticated attackers with low privileges to read arbitrary files on the server via manipulated PHP include paths. EPSS exploitation probability is low at 0.11% (29th percentile), and no active exploitation is confirmed in CISA KEV. The vulnerability requires authentication (PR:L) and high attack complexity (AC:H), limiting widespread exploitation risk despite the 7.5 CVSS score. Patchstack has documented this vulnerability, suggesting detection signatures exist for web application firewalls.
Local File Inclusion in Testimonial Slider WordPress plugin allows authenticated attackers with low-level privileges to include and execute arbitrary PHP files on the server, potentially leading to remote code execution, information disclosure, or complete site compromise. All versions through 3.5.8.6 are affected. The vulnerability requires only low-privilege authentication (PR:L) and has network attack vector (AV:N) with low complexity (AC:L), making it readily exploitable by registered users. EPSS score of 0.14% indicates low predicted exploitation probability in the wild, and no active exploitation or public POC has been identified at time of analysis.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PenciDesign Soledad allows PHP Local File Inclusion.6.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hashthemes Easy Elementor Addons allows PHP Local File Inclusion.2.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in immonex immonex Kickstart Team allows PHP Local File Inclusion.6.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Pluginwale Easy Pricing Table WP allows PHP Local File Inclusion.1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Quick Facts
- Typical Severity
- HIGH
- Category
- web
- Total CVEs
- 1172