Total
380 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-22145 | 2025-02-25 | N/A | N/A | ||
| Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6. | |||||
| CVE-2024-13353 | 1 Cyberchimps | 1 Responsive Addons For Elementor | 2025-02-25 | N/A | 8.8 HIGH |
| The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.4 via several widgets. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
| CVE-2025-0366 | 1 Artbees | 1 Jupiter X Core | 2025-02-24 | N/A | 8.8 HIGH |
| The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default. | |||||
| CVE-2025-27272 | 2025-02-24 | N/A | 7.5 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in vinagecko VG PostCarousel allows PHP Local File Inclusion. This issue affects VG PostCarousel: from n/a through 1.1. | |||||
| CVE-2025-26760 | 2025-02-22 | N/A | 7.5 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Calculator Builder allows PHP Local File Inclusion. This issue affects Calculator Builder: from n/a through 1.6.2. | |||||
| CVE-2025-26757 | 2025-02-22 | N/A | 7.5 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FULL SERVICES FULL Customer allows PHP Local File Inclusion. This issue affects FULL Customer: from n/a through 3.1.26. | |||||
| CVE-2025-22656 | 2025-02-18 | N/A | 8.1 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Oscar Alvarez Cookie Monster allows PHP Local File Inclusion. This issue affects Cookie Monster: from n/a through 1.2.2. | |||||
| CVE-2024-56216 | 1 Themify | 1 Builder | 2025-02-07 | N/A | 6.5 MEDIUM |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themify Themify Builder allows PHP Local File Inclusion.This issue affects Themify Builder: from n/a through 7.6.3. | |||||
| CVE-2025-25141 | 2025-02-07 | N/A | 7.5 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zankover Fami Sales Popup allows PHP Local File Inclusion. This issue affects Fami Sales Popup: from n/a through 2.0.0. | |||||
| CVE-2024-49649 | 1 Buildapp | 1 Build App Online | 2025-02-05 | N/A | 9.8 CRITICAL |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Abdul Hakeem Build App Online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through 1.0.23. | |||||
| CVE-2024-13408 | 1 Pickplugins | 1 Post Grid | 2025-02-05 | N/A | 7.5 HIGH |
| The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.10 via the 'theme' attribute of the `pgcu` shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php files can be uploaded and included. | |||||
| CVE-2024-13593 | 1 Bmltenabled | 1 Meeting Map | 2025-02-04 | N/A | 7.5 HIGH |
| The BMLT Meeting Map plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.6.0 via the 'bmlt_meeting_map' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
| CVE-2024-12859 | 2025-02-03 | N/A | 8.8 HIGH | ||
| The BoomBox Theme Extensions plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.8.0 via the 'boombox_listing' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. | |||||
| CVE-2024-4359 | 1 Bdthemes | 1 Element Pack | 2025-01-29 | N/A | 6.5 MEDIUM |
| The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 5.7.2 via the SVG widget and a lack of sufficient file validation in the render_svg function. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | |||||
| CVE-2025-24782 | 2025-01-27 | N/A | 6.5 MEDIUM | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpWax Post Grid, Slider & Carousel Ultimate allows PHP Local File Inclusion. This issue affects Post Grid, Slider & Carousel Ultimate: from n/a through 1.6.10. | |||||
| CVE-2025-23949 | 2025-01-22 | N/A | 8.1 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mihajlovic Nenad Improved Sale Badges – Free Version allows PHP Local File Inclusion. This issue affects Improved Sale Badges – Free Version: from n/a through 1.0.1. | |||||
| CVE-2025-23948 | 2025-01-22 | N/A | 8.1 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebArea Background animation blocks allows PHP Local File Inclusion. This issue affects Background animation blocks: from n/a through 2.1.5. | |||||
| CVE-2025-23938 | 2025-01-22 | N/A | 7.5 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Image Gallery Box by CRUDLab allows PHP Local File Inclusion. This issue affects Image Gallery Box by CRUDLab: from n/a through 1.0.3. | |||||
| CVE-2025-22311 | 2025-01-21 | N/A | 7.5 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Private Messages for UserPro. This issue affects Private Messages for UserPro: from n/a through 4.10.0. | |||||
| CVE-2025-23915 | 2025-01-16 | N/A | 7.5 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roninwp FAT Event Lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a through 1.1. | |||||