CWE-98

High likelihood

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Parent: CWE-706 - Use of Incorrectly-Resolved Name or Reference

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

1,228 vulnerabilities with CWE-98
CVE-2025-48332 HIGH
PublishPress Gutenberg Blocks <3.3.1 - Code Injection
CVSS 7.5
CVE-2025-48293 CRITICAL
Geo Mashup <1.13.16 - Code Injection
CVSS 9.8
CVE-2025-3703 HIGH
CSS & JavaScript Toolbox < 12.0.3 - PHP Local File Inclusion
CVSS 7.5
CVE-2025-32288 HIGH
stmcan RT-Theme 18 | Extensions - Code Injection
CVSS 7.5
CVE-2025-30635 HIGH
ThemeAtelier IDonatePro <2.1.9 - Code Injection
CVSS 8.1
CVE-2025-28979 HIGH
ThimPress WP Pipes <= 1.4.3 - PHP Local File Inclusion
CVSS 8.1
CVE-2025-25174 CRITICAL
BeeTeam368 Extensions <1.9.4 - Code Injection
CVSS 10.0
CVE-2025-25172 HIGH
beeteam368 VidMov <1.9.4 - Code Injection
CVSS 8.1
CVE-2025-24766 HIGH
WP Royal Themes News Magazine X <1.2.37 - Code Injection
CVSS 7.5
CVE-2025-8913 CRITICAL
WellChoose Organization Portal System < IFTOP_P3_2_1_197 - Unauthenticated Local File Inclusion
CVSS 9.8
CVE-2025-51057 MEDIUM
Vedo Suite 2024.17 - Authenticated Local File Inclusion via /api_vedo/video/preview
CVSS 6.5
CVE-2025-6991 HIGH
Kallyas Theme <4.21.0 - Code Injection
CVSS 7.5
CVE-2025-54138 HIGH
LibreNMS < 25.7.0 - Remote File Inclusion via ajax_form.php Type Parameter
CVSS 7.5
CVE-2025-24937 CRITICAL
Web Application <version> - Info Disclosure
CVSS 9.0
CVE-2025-54015 MEDIUM
HT Contact Form 7 <2.0.0 - Code Injection
CVSS 6.6
CVE-2025-6746 HIGH
WoodMart < 8.2.3 - Authenticated Local File Inclusion via Layout Attribute
CVSS 8.8
CVE-2025-7327 HIGH
Widget for Google Reviews <= 1.0.15 - Authenticated Directory Traversal and Remote Code Execution via Layout Parameter
CVSS 8.8
CVE-2025-52807 HIGH
ApusWP Kossy - Minimalist eCommerce WP <1.45 - Code Injection
CVSS 8.1
CVE-2025-4414 HIGH
CMSMasters Content Composer - Code Injection
CVSS 8.1
CVE-2025-49070 HIGH
Elessi < 6.4.1 - PHP Local File Inclusion
CVSS 7.5
CVE-2025-47627 HIGH
LCweb PrivateContent <2.3.2 - Code Injection
CVSS 7.5
CVE-2025-4689 CRITICAL
Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <4.89 ...
CVSS 9.8
CVE-2025-4380 HIGH
Ads Pro Plugin <= 4.89 - Unauthenticated Local File Inclusion
CVSS 8.1
CVE-2025-53339 HIGH
Devnex Addons For Elementor <1.0.9 - Code Injection
CVSS 7.5
CVE-2025-53281 HIGH
WPBean WPB Category Slider for WooCommerce <1.71 - Code Injection
CVSS 7.5
Details
Vulnerabilities 1,228
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits