CWE-98— PHP Remote File Inclusion
861 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-98page 2 of 18
- CVE-2024-10436HIGHCVSS 8.8EG 8.82024-10-29
The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.1 via the get_condition_value function. This makes it possible for authenticated attackers, with Su…
- CVE-2024-10571CRITICALCVSS 9.8EG 9.82024-11-14
The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and …
- CVE-2024-10871CRITICALCVSS 9.8EG 9.82024-11-09
The Category Ajax Filter plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.8.2 via the 'params[caf-post-layout]' parameter. This makes it possible for unauthenticated attackers to include an…
- CVE-2024-10873HIGHCVSS 8.8EG 8.82024-11-23
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.2 via the _load_template function. This makes it possible for authenticated attackers, with Contri…
- CVE-2024-10898HIGHCVSS 8.8EG 8.82024-11-21
The Contact Form 7 Email Add on plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the cf7_email_add_on_add_admin_template() function. This makes it possible for authenticated attackers…
- CVE-2024-11289HIGHCVSS 8.1EG 8.12024-12-06
The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.5.9 via several functions like penci_archive_more_post_ajax_func, penci_more_post_ajax_func, and penci_more_featured_post_ajax_fu…
- CVE-2024-11429HIGHCVSS 8.8EG 8.82024-12-05
The Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'stars-testimonials-with-sli…
- CVE-2024-12040HIGHCVSS 8.8EG 8.82024-12-12
The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.10 via the 'theme' attribute of the `wcpcsu` shortcode. This makes it possible…
- CVE-2024-12209CRITICALCVSS 9.8EG 9.82024-12-08
The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possib…
- CVE-2024-12272HIGHCVSS 8.8EG 8.82024-12-25
The WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.7 via several widgets. This makes…
- CVE-2024-12563HIGHCVSS 8.8EG 8.82025-03-18
The s2Member Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 250214 via the 'template' attribute. This makes it possible for authenticated attackers, with contributor-level and above per…
- CVE-2024-12571CRITICALCVSS 9.8EG 9.82024-12-20
The Store Locator for WordPress with Google Maps – LotsOfLocales plugin for WordPress is vulnerable to Local File Inclusion in version 3.98.9 via the 'sl_engine' parameter. This makes it possible for unauthenticated attackers to include …
- CVE-2024-12811HIGHCVSS 8.8EG 8.82025-02-28
The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.9 via shortcodes. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include…
- CVE-2024-12859HIGHCVSS 8.8EG 8.82025-02-03
The BoomBox Theme Extensions plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.8.0 via the 'boombox_listing' shortcode 'type' attribute. This makes it possible for authenticated attackers, w…
- CVE-2024-13353HIGHCVSS 8.8EG 8.82025-02-21
The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.4 via several widgets. This makes it possible…
- CVE-2024-13408HIGHCVSS 7.5EG 7.52025-01-24
The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.10 via the 'theme' attribute of the `pgcu…
- CVE-2024-13592HIGHCVSS 7.5EG 7.52025-02-19
The Team Builder For WPBakery Page Builder(Formerly Visual Composer) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'team-builder-vc' shortcode. This makes it possible for authe…
- CVE-2024-13593HIGHCVSS 7.5EG 7.52025-01-23
The BMLT Meeting Map plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.6.0 via the 'bmlt_meeting_map' shortcode. This makes it possible for authenticated attackers, with Contributor-level ac…
- CVE-2024-13790CRITICALCVSS 9.8EG 9.82025-03-19
The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.7.0 via the 'template' parameter. This makes it possible for unauthenticated …
- CVE-2024-1382HIGHCVSS 8.8EG 8.82024-03-07
The Restaurant Reservations plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the nd_rst_layout attribute of the nd_rst_search shortcode. This makes it possible for authenticated attac…
- CVE-2024-14002MEDIUMCVSS 5.5EG 5.52025-10-30
Nagios XI versions prior to 2024R1.1.4 contain a local file inclusion (LFI) vulnerability via its NagVis integration. An authenticated user can supply crafted path values that cause the server to include local files, potentially exposing …
- CVE-2024-1600CRITICALCVSS 9.3EG 9.32024-04-10
A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. An attacker can exploit this vulnerability by crafting a URL that includes directory traversal sequ…
- CVE-2024-2047HIGHCVSS 8.8EG 8.82024-03-30
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers, with contributor-level…
- CVE-2024-21687HIGHCVSS 8.1EG 8.12024-07-16
This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server. This File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authent…
- CVE-2024-2411CRITICALCVSS 9.8EG 9.82024-03-29
The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'modal' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary fil…
- CVE-2024-27971HIGHCVSS 8.3EG 8.32024-05-17
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Permalink Manager for WooCommerce woo-permalink-manager.This issue affects Premmerce Permalink Man…
- CVE-2024-3061HIGHCVSS 7.2EG 7.22024-03-29
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.5.2 via the 'type' parameter. This makes it possible for authenticated attacker…
- CVE-2024-30849CRITICALCVSS 9.8EG 9.82024-04-05
Arbitrary file upload vulnerability in Sourcecodester Complete E-Commerce Site v1.0, allows remote attackers to execute arbitrary code via filename parameter in admin/products_photo.php.
- CVE-2024-3136CRITICALCVSS 9.8EG 9.82024-04-09
The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary …
- CVE-2024-31459HIGHCVSS 8.0EG 8.02024-05-14
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be imple…
- CVE-2024-32523HIGHCVSS 8.1EG 8.12024-05-17
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in EverPress Mailster mailster.This issue affects Mailster: from n/a through <= 4.0.6.
- CVE-2024-33863CRITICALCVSS 9.8EG 9.82024-05-14
An issue was discovered in linqi before 1.4.0.1 on Windows. There is /api/Cdn/GetFile local file inclusion.
- CVE-2024-34314MEDIUMCVSS 4.9EG 4.92024-05-07
CmsEasy v7.7.7.9 was discovered to contain a local file inclusion vunerability via the file_get_contents function in the fetch_action method of /admin/template_admin.php. This vulnerability allows attackers to read arbitrary files.
- CVE-2024-3499HIGHCVSS 8.8EG 8.82024-05-02
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.0 via the generate_navigation_markup function of the Onepage Scroll module. This makes it possible for au…
- CVE-2024-3500HIGHCVSS 8.8EG 8.82024-05-02
The ElementsKit Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.0 via the Price Menu, Hotspot, and Advanced Toggle widgets. This makes it possible for authenticated attackers, with c…
- CVE-2024-3551CRITICALCVSS 9.8EG 9.82024-05-17
The Penci Soledad Data Migrator plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.0 via the 'data' parameter. This makes it possible for unauthenticated attackers to include and execute ar…
- CVE-2024-35629CRITICALCVSS 9.6EG 9.62024-06-04
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Easy Digital Downloads – Recent Purchases allows PHP Remote File Inclusion.This issue affects Easy Digit…
- CVE-2024-3564HIGHCVSS 8.8EG 8.82024-06-01
The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the plugin's 'content_block' shortcode. This makes it possible for authenticated attackers, …
- CVE-2024-35650MEDIUMCVSS 4.9EG 4.92024-06-10
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Melapress MelaPress Login Security melapress-login-security.This issue affects MelaPress Login Security: from n/a thro…
- CVE-2024-36415CRITICALCVSS 9.1EG 9.12024-06-10
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6…
- CVE-2024-36569HIGHCVSS 8.1EG 8.12024-06-03
Sourcecodester Gas Agency Management System v1.0 is vulnerable to arbitrary code execution via editClientImage.php.
- CVE-2024-37410MEDIUMCVSS 4.9EG 4.92024-07-09
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in IdeaBox Creations PowerPack Lite for Beaver Builder powerpack-addon-for-beaver-builder.This issue affects PowerPack Li…
- CVE-2024-37479HIGHCVSS 8.5EG 8.52024-07-02
Local File Inclusion vulnerability in LA-Studio LA-Studio Element Kit for Elementor via "LaStudioKit Progress Bar" widget in New Post, specifically in the "progress_type" attribute.This issue affects LA-Studio Element Kit for Elementor: fr…
- CVE-2024-37520MEDIUMCVSS 6.5EG 6.52024-07-09
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme ShopBuilder – Elementor WooCommerce Builder Addons shopbuilder.This issue affects ShopBuilder – Elemen…
- CVE-2024-3806CRITICALCVSS 9.8EG 9.82024-05-14
The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts' function. This makes it possible for unauthenticated attackers to include and execute arbitrary file…
- CVE-2024-3807HIGHCVSS 8.8EG 8.82024-05-14
The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via 'porto_page_header_shortcode_type', 'slideshow_type' and 'post_layout' post meta. This makes it possible for authenticated …
- CVE-2024-3808HIGHCVSS 8.8EG 8.82024-05-14
The Porto Theme - Functionality plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.0 via the 'porto_portfolios' shortcode 'portfolio_layout' attribute. This makes it possible for authentica…
- CVE-2024-3809HIGHCVSS 8.8EG 8.82024-05-14
The Porto Theme - Functionality plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.9 via the 'slideshow_type' post meta. This makes it possible for authenticated attackers, with contributor…
- CVE-2024-3810HIGHCVSS 8.8EG 8.82024-05-18
The Salient Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.3 via the 'icon' shortcode 'image' attribute. This makes it possible for authenticated attackers, with contributor-…
- CVE-2024-3812HIGHCVSS 7.5EG 7.52024-05-18
The Salient Core plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.7 via the 'nectar_icon' shortcode 'icon_linea' attribute. This makes it possible for authenticated attackers, with contri…
Map vulnerabilities like CWE-98 to your infrastructure
EchelonGraph correlates every CVE — across CWE-98 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →