CWE-98

High likelihood

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Parent: CWE-706 - Use of Incorrectly-Resolved Name or Reference

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

1,228 vulnerabilities with CWE-98
CVE-2025-30782 HIGH
WP Shuffle Subscribe to Download Lite <1.2.9 - Code Injection
CVSS 7.5
CVE-2025-31387 HIGH
InstaWP InstaWP Connect <0.1.0.82 - Code Injection
CVSS 7.5
CVE-2025-31016 HIGH
Crocoblock JetWooBuilder <2.1.18 - Code Injection
CVSS 7.5
CVE-2025-30835 HIGH
Bastien Ho Accounting for WooCommerce <1.6.8 - Code Injection
CVSS 7.5
CVE-2025-31432 HIGH
Pop-Up Chop Chop <2.1.7 - Code Injection
CVSS 7.5
CVE-2025-26890 HIGH
PluginUs.Net HUSKY <1.3.6.4 - Code Injection
CVSS 7.5
CVE-2025-26909 CRITICAL
Hide My WP Ghost <= 5.4.01 - PHP Local File Inclusion
CVSS 9.6
CVE-2025-30891 HIGH
WpTravelly <= 1.8.7 - Local File Inclusion
CVSS 8.8
CVE-2025-30890 HIGH
SuitePlugins Login Widget - Code Injection
CVSS 7.5
CVE-2025-30871 HIGH
WP Travel Engine <= 6.3.5 - PHP Local File Inclusion
CVSS 7.5
CVE-2025-30868 HIGH
DynamicWebLab Team Manager <2.1.23 - Code Injection
CVSS 7.5
CVE-2025-30846 HIGH
MotoPress Restaurant Menu <2.4.4 - Code Injection
CVSS 8.8
CVE-2025-30845 HIGH
The Pack Elementor Addons <2.1.1 - Code Injection
CVSS 7.5
CVE-2025-30831 HIGH
Themify Event Post <1.3.2 - Code Injection
CVSS 7.5
CVE-2025-30829 HIGH
Themewinter WPCafe <2.2.31 - Code Injection
CVSS 7.5
CVE-2025-30820 HIGH
HT Plugins WishSuite <1.4.4 - Code Injection
CVSS 7.5
CVE-2025-30814 HIGH
RadiusTheme The Post Grid <7.7.17 - Code Injection
CVSS 7.5
CVE-2025-30785 HIGH
WP Shuffle Subscribe to Download Lite <1.2.9 - RCE
CVSS 7.5
CVE-2025-28916 CRITICAL
Docpro <= 2.0.1 - PHP Local File Inclusion
CVSS 9.8
CVE-2025-27015 HIGH
Hostiko < 30.1 - Local File Inclusion
CVSS 7.5
CVE-2025-26986 HIGH
StylemixThemes Pearl - Corporate Business <3.4.8 - Code Injection
CVSS 8.1
CVE-2025-24690 HIGH
Michele Giorgi Formality <1.5.7 - Code Injection
CVSS 8.1
CVE-2025-23952 HIGH
ntm custom-field-list-widget <1.5.1 - Code Injection
CVSS 8.1
CVE-2025-23937 HIGH
LinkedIn Lite <= 1.0 - PHP Local File Inclusion
CVSS 8.1
CVE-2025-26137 HIGH
Systemic Risk Value <= 2.8.0 - Unauthenticated Local File Inclusion via GetFile.aspx ReportUrl Parameter
CVSS 7.5
Details
Vulnerabilities 1,228
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits