CWE-98: PHP Remote File Inclusion — known CVE vulnerabilities
CVEs classified under CWE-98 (PHP Remote File Inclusion), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2025-25174 — CVSS 10.0 (critical): Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368…
CVE-2012-10025: The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in…
CVE-2026-41228 — CVSS 9.9 (critical): Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and…
CVE-2025-31340: A improper control of filename for include/require statement in PHP program vulnerability in the retrieve course Information function of…
CVE-2023-5199 — CVSS 9.9 (critical): The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via…
CVE-2026-7515 — CVSS 9.8 (critical): The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style`…
CVE-2026-27065 — CVSS 9.8 (critical): Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress…
CVE-2026-3826 — CVSS 9.8 (critical): IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code…
CVE-2026-28043 — CVSS 9.8 (critical): Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Healer -…
CVE-2026-0926 — CVSS 9.8 (critical): The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the…
CVE-2021-47900 — CVSS 9.8 (critical): Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary…
CVE-2025-14502 — CVSS 9.8 (critical): The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via…
CVE-2025-53433 — CVSS 9.8 (critical): Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes…
CVE-2025-63888 — CVSS 9.8 (critical): The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability.
CVE-2025-41734 — CVSS 9.8 (critical): An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.
CVE-2025-11023 — CVSS 9.8 (critical): Inclusion of Functionality from Untrusted Control Sphere, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP…
CVE-2025-7634 — CVSS 9.8 (critical): The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all…
CVE-2025-7721 — CVSS 9.8 (critical): The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Local File Inclusion in all…
CVE-2025-48293 — CVSS 9.8 (critical): Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dylan Kuhn Geo…
CVE-2025-8913 — CVSS 9.8 (critical): Organization Portal System developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to…
CVE-2025-4689 — CVSS 9.8 (critical): The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to…
CVE-2025-46468 — CVSS 9.8 (critical): Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPFable Fable…
CVE-2025-39406 — CVSS 9.8 (critical): Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in mojoomla WPAMS…
CVE-2025-32577 — CVSS 9.8 (critical): Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build…
CVE-2025-28916 — CVSS 9.8 (critical): Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rashid Docpro…
CVE-2024-13790 — CVSS 9.8 (critical): The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions…
CVE-2025-1771 — CVSS 9.8 (critical): The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the…
CVE-2024-9193 — CVSS 9.8 (critical): The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and…
CVE-2024-12571 — CVSS 9.8 (critical): The Store Locator for WordPress with Google Maps – LotsOfLocales plugin for WordPress is vulnerable to Local File Inclusion in version…
CVE-2024-12209 — CVSS 9.8 (critical): The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and…
CVE-2024-10571 — CVSS 9.8 (critical): The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including…
CVE-2024-10871 — CVSS 9.8 (critical): The Category Ajax Filter plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.8.2 via the…
CVE-2024-41925 — CVSS 9.8 (critical): The web service for ONS-S8 - Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker…
CVE-2024-4258 — CVSS 9.8 (critical): The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all…
CVE-2024-5577 — CVSS 9.8 (critical): The Where I Was, Where I Will Be plugin for WordPress is vulnerable to Remote File Inclusion in version <= 1.1.1 via the WIW_HEADER…
CVE-2024-4936 — CVSS 9.8 (critical): The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath…
CVE-2024-3551 — CVSS 9.8 (critical): The Penci Soledad Data Migrator plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.0 via…
CVE-2024-33863 — CVSS 9.8 (critical): An issue was discovered in linqi before 1.4.0.1 on Windows. There is /api/Cdn/GetFile local file inclusion.
CVE-2024-3806 — CVSS 9.8 (critical): The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts'…
CVE-2024-3136 — CVSS 9.8 (critical): The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the…
CVE-2024-30849 — CVSS 9.8 (critical): Arbitrary file upload vulnerability in Sourcecodester Complete E-Commerce Site v1.0, allows remote attackers to execute arbitrary code via…
CVE-2024-2411 — CVSS 9.8 (critical): The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'modal'…
CVE-2023-6989 — CVSS 9.8 (critical): The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in…
CVE-2023-4488 — CVSS 9.8 (critical): The Dropbox Folder Share for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.9.7 via the…
CVE-2023-3452 — CVSS 9.8 (critical): The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath'…
CVE-2022-40089 — CVSS 9.8 (critical): A remote file inclusion (RFI) vulnerability in Simple College Website v1.0 allows attackers to execute arbitrary code via a crafted PHP…
CVE-2025-26909 — CVSS 9.6 (critical): Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in John Darrel Hide…
CVE-2024-43261 — CVSS 9.6 (critical): Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hamed Naderfar…