CWE-98— PHP Remote File Inclusion
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.— MITRE CWE catalog
1,240 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-98page 18 of 25
- CVE-2025-69123HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Snow Club <= 1.1 versions.
- CVE-2025-69124HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Especio <= 1.0 versions.
- CVE-2025-69125HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Food Drop <= 1.3 versions.
- CVE-2025-69126HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Fortius <= 2.3.0 versions.
- CVE-2025-69133HIGHCVSS 7.5EG 7.52026-07-02
Subscriber Local File Inclusion in Tourmaster <= 5.4.5 versions.
- CVE-2025-69136HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Wanium <= 1.9.8 versions.
- CVE-2025-69141HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Kelly Young <= 1.1.0 versions.
- CVE-2025-69142HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Abelle <= 1.22 versions.
- CVE-2025-69143HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Mission <= 1.22 versions.
- CVE-2025-69144HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Preservation <= 1.10 versions.
- CVE-2025-69145HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Gat <= 1.16 versions.
- CVE-2025-69146HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Dom <= 1.24 versions.
- CVE-2025-69147HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Putter <= 1.17 versions.
- CVE-2025-69148HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Quirky <= 1.23 versions.
- CVE-2025-69149HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Top Dog <= 1.0.5 versions.
- CVE-2025-69150HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Medeus <= 1.14 versions.
- CVE-2025-69157HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Gamic <= 1.15 versions.
- CVE-2025-69158HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Granola <= 1.13 versions.
- CVE-2025-69159HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Printo <= 1.11 versions.
- CVE-2025-69160HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Gita <= 1.11 versions.
- CVE-2025-69161HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Snowy <= 1.13 versions.
- CVE-2025-69162HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Grecko <= 5.17 versions.
- CVE-2025-69163HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in WineShop <= 3.17 versions.
- CVE-2025-69164HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Skyward <= 1.10 versions.
- CVE-2025-69165HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Choreo <= 1.6 versions.
- CVE-2025-69166HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Gunslinger <= 1.7 versions.
- CVE-2025-69167HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Eros <= 1.3 versions.
- CVE-2025-69168HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Spike <= 1.2 versions.
- CVE-2025-69170HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Eventicity <= 1.5 versions.
- CVE-2025-69171HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Orpheus <= 1.3 versions.
- CVE-2025-69172HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Resurs <= 1.3 versions.
- CVE-2025-69173HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Tipsy <= 1.1 versions.
- CVE-2025-69174HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Etude <= 1.6 versions.
- CVE-2025-69175HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Line Agency <= 1.3.1 versions.
- CVE-2025-69176HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in ITactics <= 1.0 versions.
- CVE-2025-69177HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Roneous <= 2.1.5 versions.
- CVE-2025-69178HIGHCVSS 8.1EG 8.12026-06-17
Unauthenticated Local File Inclusion in Truemag <= 4.3.14.2 versions.
- CVE-2025-69314HIGHCVSS 8.1EG 8.12026-01-22
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Werkstatt werkstatt allows PHP Local File Inclusion.This issue affects Werkstatt: from n/a through < 4.8.3.
- CVE-2025-69322HIGHCVSS 8.1EG 8.12026-02-20
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes PeakShops peakshops allows PHP Local File Inclusion.This issue affects PeakShops: from n/a through < 1.5.9.
- CVE-2025-69339HIGHCVSS 8.1EG 8.12026-03-05
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Molla molla allows PHP Local File Inclusion.This issue affects Molla: from n/a through <= 1.5.16.
- CVE-2025-69342HIGHCVSS 7.5EG 7.52026-01-06
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VanKarWai Calafate calafate allows PHP Local File Inclusion.This issue affects Calafate: from n/a through <= 1.7.7.
- CVE-2025-69356HIGHCVSS 7.5EG 7.52026-01-06
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue…
- CVE-2025-69369HIGHCVSS 8.1EG 8.12026-06-02
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Racquet allows PHP Local File Inclusion. This issue affects Racquet: from n/a through 1.12.0.
- CVE-2025-69373HIGHCVSS 7.5EG 7.52026-02-20
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9…
- CVE-2025-69374HIGHCVSS 8.1EG 8.12026-02-20
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Eleblog – Elementor Blog And Magazine Addons ele-blog allows PHP Local File Inclusion.This issue affects El…
- CVE-2025-69375HIGHCVSS 8.1EG 8.12026-02-20
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Portfolio Builder swp-portfolio allows PHP Local File Inclusion.This issue affects Portfolio Builder: from n/…
- CVE-2025-69383HIGHCVSS 7.5EG 7.52026-02-20
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows PHP Local File Inclusion.This issue affects WP shop: from n/a thr…
- CVE-2025-69387HIGHCVSS 7.5EG 7.52026-02-20
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in whatwouldjessedo Simple Retail Menus simple-retail-menus allows PHP Local File Inclusion.This issue affects Simple Ret…
- CVE-2025-69395HIGHCVSS 8.1EG 8.12026-02-20
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Gable gable allows PHP Local File Inclusion.This issue affects Gable: from n/a through <= 1.5.
- CVE-2025-69396HIGHCVSS 8.1EG 8.12026-02-20
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Splendour splendour allows PHP Local File Inclusion.This issue affects Splendour: from n/a through <= 1.23.
Map vulnerabilities like CWE-98 to your infrastructure
EchelonGraph correlates every CVE — across CWE-98 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →