CWE-98— PHP Remote File Inclusion
861 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-98page 1 of 18
- CVE-2012-10025CRITICALCVSS 10.0EG 0.02025-08-05
The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an…
- CVE-2014-9186CRITICALCVSS 9.8EG 9.82019-04-08
A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential inform…
- CVE-2015-10133HIGHCVSS 7.2EG 7.22025-07-19
The Subscribe to Comments for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.1.2 via the Path to header value. This allows authenticated attackers, with administrative privileges and above, to include a…
- CVE-2015-6461MEDIUMCVSS 5.4EG 5.42019-03-21
Remote file inclusion allows an attacker to craft a specific URL referencing the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, or BM…
- CVE-2016-6565HIGHCVSS 7.5EG 7.52018-07-13
The Imagely NextGen Gallery plugin for Wordpress prior to version 2.1.57 does not properly validate user input in the cssfile parameter of a HTTP POST request, which may allow an authenticated user to read arbitrary files from the server, …
- CVE-2017-14095HIGHCVSS 8.1EG 8.12018-01-19
A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a local file inclusion on a vulnerable system.
- CVE-2018-25324MEDIUMCVSS 6.2EG 6.22026-05-17
Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting null bytes into the wp_abspath parameter on PHP versions before 5.3.4…
- CVE-2018-25329HIGHCVSS 7.5EG 7.52026-05-17
WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Attackers can send GET requests to wp.spritz.c…
- CVE-2019-5479HIGHCVSS 7.5EG 7.52019-09-03
An unintended require vulnerability in <v0.5.5 larvitbase-api may allow an attacker to load arbitrary non-production code (JavaScript file).
- CVE-2020-13175HIGHCVSS 7.5EG 7.52020-08-11
The Management Interface of the Teradici Cloud Access Connector and Cloud Access Connector Legacy for releases prior to April 20, 2020 (v15 and earlier for Cloud Access Connector) contains a local file inclusion vulnerability which allows …
- CVE-2020-37169MEDIUMCVSS 5.5EG 5.52026-05-13
WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requ…
- CVE-2020-37246MEDIUMCVSS 6.2EG 6.22026-05-16
Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin…
- CVE-2020-5295MEDIUMCVSS 4.8EG 4.82020-06-03
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated b…
- CVE-2021-21804CRITICALCVSS 9.8EG 9.82021-07-16
A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafte…
- CVE-2021-22968HIGHCVSS 7.2EG 7.22021-11-19
A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory e…
- CVE-2021-29113MEDIUMCVSS 4.7EG 4.72021-12-07
A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page.
- CVE-2021-47734HIGHCVSS 7.8EG 5.52025-12-23
CMSimple 5.4 contains an authenticated local file inclusion vulnerability that allows remote attackers to manipulate PHP session files and execute arbitrary code. Attackers can leverage the vulnerability by changing the functions file path…
- CVE-2021-47900CRITICALCVSS 9.8EG 9.82026-01-27
Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through manipulated HTTP headers. Attackers can inject PHP code in the User-Agent hea…
- CVE-2021-47978MEDIUMCVSS 6.2EG 6.22026-05-16
ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send requests with directory traversal sequences…
- CVE-2022-40089CRITICALCVSS 9.8EG 9.82022-09-22
A remote file inclusion (RFI) vulnerability in Simple College Website v1.0 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is exploitable when the directive allow_url_include is set to On.
- CVE-2022-41547HIGHCVSS 7.5EG 7.52022-10-18
Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP r…
- CVE-2022-4446CRITICALCVSS 9.8EG 9.82022-12-13
PHP Remote File Inclusion in GitHub repository tsolucio/corebos prior to 8.0.
- CVE-2022-44786HIGHCVSS 7.5EG 7.52022-11-21
An issue was discovered in Appalti & Contratti 9.12.2. The target web applications allow Local File Inclusion in any page relying on the href parameter to specify the JSP page to be rendered. This affects ApriPagina.do POST and GET request…
- CVE-2022-4606CRITICALCVSS 9.8EG 9.82022-12-18
PHP Remote File Inclusion in GitHub repository flatpressblog/flatpress prior to 1.3.
- CVE-2022-4982HIGHCVSS 8.7EG 0.02025-11-12
DBLTek GoIP-1 firmware versions up to and including GHSFVT-1.1-67-5 contain a local file inclusion vulnerability. The device's web server exposes handlers (`frame.html` and `frame.A100.html`) that accept a path parameter (`content` or `sid…
- CVE-2022-50897MEDIUMCVSS 5.5EG 6.22026-01-13
mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through cr…
- CVE-2022-50954MEDIUMCVSS 6.2EG 6.22026-05-10
WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in tblight.php. Attackers can supply path trave…
- CVE-2023-2249HIGHCVSS 8.8EG 8.82023-06-09
The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropri…
- CVE-2023-23565MEDIUMCVSS 4.9EG 4.92023-08-22
An issue was discovered in Geomatika IsiGeo Web 6.0. It allows remote authenticated users to retrieve PHP files from the server via Local File Inclusion.
- CVE-2023-24217HIGHCVSS 8.8EG 8.82023-03-06
AgileBio Electronic Lab Notebook v4.234 was discovered to contain a local file inclusion vulnerability.
- CVE-2023-2551HIGHCVSS 8.8EG 7.22023-05-05
PHP Remote File Inclusion in GitHub repository unilogies/bumsys prior to 2.1.1.
- CVE-2023-25995HIGHCVSS 7.5EG 7.52025-06-06
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in choicehomemortgage AI Mortgage Calculator allows PHP Local File Inclusion. This issue affects AI Mortgage Calculator: …
- CVE-2023-25998HIGHCVSS 8.1EG 8.12025-06-27
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Samex - Clean, Minimal Shop WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects S…
- CVE-2023-25999HIGHCVSS 8.1EG 8.12025-06-09
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme BodyCenter - Gym, Fitness WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects Bod…
- CVE-2023-26005HIGHCVSS 8.1EG 8.12025-06-09
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Fitrush allows PHP Local File Inclusion. This issue affects Fitrush: from n/a through 1.3.4.
- CVE-2023-31716HIGHCVSS 7.5EG 7.52023-09-22
FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log
- CVE-2023-31718HIGHCVSS 7.5EG 7.52023-09-22
FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.
- CVE-2023-3452CRITICALCVSS 9.8EG 9.82023-08-12
The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server,…
- CVE-2023-4195HIGHCVSS 8.8EG 8.82023-08-06
PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
- CVE-2023-4488CRITICALCVSS 9.8EG 9.82023-10-20
The Dropbox Folder Share for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.9.7 via the editor-view.php file. This allows unauthenticated attackers to include and execute arbitrary files on the server, …
- CVE-2023-49031MEDIUMCVSS 5.1EG 5.12025-03-03
Directory Traversal (Local File Inclusion) vulnerability in Tikit (now Advanced) eMarketing platform 6.8.3.0 allows a remote attacker to read arbitrary files and obtain sensitive information via a crafted payload to the filename parameter …
- CVE-2023-49084HIGHCVSS 8.0EG 9.02023-12-21
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute …
- CVE-2023-5099HIGHCVSS 8.8EG 8.82023-10-31
The HTML filter and csv-file search plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.7 via the 'src' attribute of the 'csvsearch' shortcode. This allows authenticated attackers, with contributo…
- CVE-2023-5199CRITICALCVSS 9.9EG 9.92023-10-30
The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions o…
- CVE-2023-52325HIGHCVSS 7.5EG 7.52024-01-23
A local file inclusion vulnerability in one of Trend Micro Apex Central's widgets could allow a remote attacker to execute arbitrary code on affected installations. Please note: this vulnerability must be used in conjunction with anothe…
- CVE-2023-5250HIGHCVSS 8.8EG 6.42023-10-30
The Grid Plus plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.3.3 via a shortcode attribute. This allows subscriber-level, and above, attackers to include and execute arbitrary files on the se…
- CVE-2023-5815HIGHCVSS 8.1EG 8.12023-11-22
The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in…
- CVE-2023-6583MEDIUMCVSS 6.6EG 6.62024-01-11
The Import and export users and customers plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.24.2 via the Recurring Import functionality. This makes it possible for authenticated attackers, wi…
- CVE-2023-6989CRITICALCVSS 9.8EG 9.82024-02-05
The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it poss…
- CVE-2024-0315MEDIUMCVSS 6.6EG 6.62024-01-15
Remote file inclusion vulnerability in FireEye Central Management affecting version 9.1.1.956704. This vulnerability allows an attacker to upload a malicious PDF file to the system during the report creation process.
Map vulnerabilities like CWE-98 to your infrastructure
EchelonGraph correlates every CVE — across CWE-98 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →