CWE-98— PHP Remote File Inclusion
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.— MITRE CWE catalog
1,240 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-98page 3 of 25
- CVE-2024-37479HIGHCVSS 8.5EG 8.52024-07-02
Local File Inclusion vulnerability in LA-Studio LA-Studio Element Kit for Elementor via "LaStudioKit Progress Bar" widget in New Post, specifically in the "progress_type" attribute.This issue affects LA-Studio Element Kit for Elementor: fr…
- CVE-2024-37520MEDIUMCVSS 6.5EG 6.52024-07-09
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme ShopBuilder – Elementor WooCommerce Builder Addons shopbuilder.This issue affects ShopBuilder – Elemen…
- CVE-2024-3806CRITICALCVSS 9.8EG 9.82024-05-14
The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts' function. This makes it possible for unauthenticated attackers to include and execute arbitrary file…
- CVE-2024-3807HIGHCVSS 8.8EG 8.82024-05-14
The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via 'porto_page_header_shortcode_type', 'slideshow_type' and 'post_layout' post meta. This makes it possible for authenticated …
- CVE-2024-3808HIGHCVSS 8.8EG 8.82024-05-14
The Porto Theme - Functionality plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.0 via the 'porto_portfolios' shortcode 'portfolio_layout' attribute. This makes it possible for authentica…
- CVE-2024-3809HIGHCVSS 8.8EG 8.82024-05-14
The Porto Theme - Functionality plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.9 via the 'slideshow_type' post meta. This makes it possible for authenticated attackers, with contributor…
- CVE-2024-3810HIGHCVSS 8.8EG 8.82024-05-18
The Salient Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.3 via the 'icon' shortcode 'image' attribute. This makes it possible for authenticated attackers, with contributor-…
- CVE-2024-3812HIGHCVSS 7.5EG 7.52024-05-18
The Salient Core plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.7 via the 'nectar_icon' shortcode 'icon_linea' attribute. This makes it possible for authenticated attackers, with contri…
- CVE-2024-3813HIGHCVSS 8.8EG 8.82024-06-15
The tagDiv Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8 via the 'td_block_title' shortcode 'block_template_id' attribute. This makes it possible for authenticated attackers, …
- CVE-2024-3849HIGHCVSS 8.8EG 8.82024-05-02
The Click to Chat – HoliThemes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.35. This makes it possible for authenticated attackers, with contributor access or above, to include and ex…
- CVE-2024-38735HIGHCVSS 7.5EG 7.52024-07-12
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bastien Ho Event post event-post.This issue affects Event post: from n/a through <= 5.9.5.
- CVE-2024-40112MEDIUMCVSS 5.9EG 5.92025-06-02
A Local File Inclusion (LFI) vulnerability exists in Sitecom WLX-2006 Wall Mount Range Extender N300 v1.5 and before, which allows an attacker to manipulate the "language" cookie to include arbitrary files from the server. This vulnerabili…
- CVE-2024-41925CRITICALCVSS 9.8EG 9.82024-10-03
The web service for ONS-S8 - Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass authentication, and execute remote code.
- CVE-2024-4258CRITICALCVSS 9.8EG 9.82024-06-15
The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the settings parameter. This makes it possible for unauthenticate…
- CVE-2024-43261CRITICALCVSS 9.6EG 9.62024-08-19
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hamed Naderfar Compute Links allows PHP Remote File Inclusion.This issue affects Compute Links: from n/a through 1.2.1.
- CVE-2024-4359MEDIUMCVSS 6.5EG 6.52024-08-12
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 5.7.2 via the SVG widget and a lac…
- CVE-2024-44023HIGHCVSS 8.1EG 8.12024-10-05
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in abcapp ABCApp Creator abcapp-creator.This issue affects ABCApp Creator: from n/a through <= 1.1.2.
- CVE-2024-44048MEDIUMCVSS 6.5EG 6.52024-09-23
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpWax Product Carousel Slider & Grid Ultimate for WooCommerce woo-product-carousel-slider-and-grid-ultimate.This issue…
- CVE-2024-4441HIGHCVSS 8.1EG 8.12024-05-14
The XML Sitemap & Google News plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.8 via the 'feed' parameter. This makes it possible for unauthenticated attackers to include and execute arbi…
- CVE-2024-45077MEDIUMCVSS 6.5EG 6.52025-01-24
IBM Maximo Asset Management 7.6.1.3 MXAPIASSET API is vulnerable to unrestricted file upload which allows authenticated low privileged user to upload restricted file types with a simple method of adding a dot to the end of the file name if…
- CVE-2024-4551MEDIUMCVSS 6.4EG 6.42024-06-15
The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the display function. This makes it possible for authenticated at…
- CVE-2024-4670HIGHCVSS 8.8EG 8.82024-05-15
The All-in-One Video Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.5 via the aiovg_search_form shortcode. This makes it possible for authenticated attackers, with contributor-l…
- CVE-2024-47323HIGHCVSS 8.1EG 8.12024-10-05
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ex-Themes WP Timeline – Vertical and Horizontal timeline plugin wp-timelines.This issue affects WP Timeline – Vert…
- CVE-2024-48029HIGHCVSS 7.5EG 7.52024-10-16
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hung Trang Si SB Random Posts Widget sb-random-posts-widget allows PHP Local File Inclusion.This issue affects SB Rand…
- CVE-2024-4887HIGHCVSS 7.5EG 7.52024-06-07
The Qi Addons For Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.2 via the 'behavior' attributes found in the qi_addons_for_elementor_blog_list shortcode. This makes it possib…
- CVE-2024-49243HIGHCVSS 7.5EG 7.52024-10-18
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ramjon27 Dynamic Elementor Addons dynamic-elementor-addons allows PHP Local File Inclusion.This issue affects Dynamic …
- CVE-2024-49251HIGHCVSS 7.5EG 7.52024-10-16
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Acnoo Maan Addons For Elementor maan-elementor-addons allows Local Code Inclusion.This issue affects Maan Addons For E…
- CVE-2024-49317HIGHCVSS 7.5EG 7.52024-10-17
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ZIPANG Point Maker point-maker allows PHP Local File Inclusion.This issue affects Point Maker: from n/a through <= 0.1…
- CVE-2024-4936CRITICALCVSS 9.8EG 9.82024-06-14
The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, result…
- CVE-2024-49649CRITICALCVSS 9.8EG 9.82025-01-07
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from…
- CVE-2024-49690HIGHCVSS 7.5EG 7.52024-10-23
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Qode Qi Blocks qi-blocks.This issue affects Qi Blocks: from n/a through <= 1.3.2.
- CVE-2024-49701HIGHCVSS 7.5EG 7.52024-10-23
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehorse Mags mags.This issue affects Mags: from n/a through <= 1.1.6.
- CVE-2024-50434HIGHCVSS 7.5EG 7.52024-10-28
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehorse NewsCard newscard.This issue affects NewsCard: from n/a through <= 1.3.
- CVE-2024-50435HIGHCVSS 7.5EG 7.52024-10-28
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehorse Meta News meta-news.This issue affects Meta News: from n/a through <= 1.1.7.
- CVE-2024-50436HIGHCVSS 7.5EG 7.52024-10-28
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehorse Clean Retina clean-retina.This issue affects Clean Retina: from n/a through <= 3.0.6.
- CVE-2024-50457HIGHCVSS 7.5EG 7.52024-10-28
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Qode Qode Essential Addons qode-essential-addons.This issue affects Qode Essential Addons: from n/a through <= 1.6.3.
- CVE-2024-50497HIGHCVSS 8.1EG 8.12024-10-28
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wdesco Advanced Online Ordering and Delivery Platform advanced-online-ordering-and-delivery-platform allows PHP Local …
- CVE-2024-51319HIGHCVSS 7.3EG 7.32025-03-11
A local file include vulnerability in the /servlet/Report of Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution by uploading a jsp web/reverse shell through /jsp/zimg_upload.jsp.
- CVE-2024-51541HIGHCVSS 8.2EG 8.22024-12-05
Local File Inclusion vulnerabilities allow access to sensitive system information. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02
- CVE-2024-52381HIGHCVSS 8.1EG 8.12024-11-14
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Shoaib Rehmat ZIJ KART zij-kart allows PHP Local File Inclusion.This issue affects ZIJ KART: from n/a through <= 1.1.
- CVE-2024-52385MEDIUMCVSS 4.3EG 4.32024-12-09
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpmart Team Member team-showcase-supreme.This issue affects Team Member: from n/a through <= 7.4.
- CVE-2024-52386MEDIUMCVSS 5.3EG 5.32024-11-16
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Classified Listing classified-listing allows PHP Local File Inclusion.This issue affects Classified Listin…
- CVE-2024-52428HIGHCVSS 8.1EG 8.12024-11-18
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Peter Ads Booster by Ads Pro free-wp-booster-by-ads-pro allows PHP Local File Inclusion.This issue affects Ads Booster…
- CVE-2024-52450HIGHCVSS 7.5EG 7.52024-11-20
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in officialprocoders nBlocks nblocks allows PHP Local File Inclusion.This issue affects nBlocks: from n/a through <= 1.0.…
- CVE-2024-52496HIGHCVSS 7.5EG 7.52024-11-28
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AbsolutePlugins Absolute Addons For Elementor absolute-addons allows Local Code Inclusion.This issue affects Absolute …
- CVE-2024-52497HIGHCVSS 7.5EG 7.52024-11-28
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in quomodosoft Shopready shopready-elementor-addon allows PHP Local File Inclusion.This issue affects Shopready: from n/a…
- CVE-2024-52499HIGHCVSS 7.5EG 7.52024-11-28
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ibrahim Pricing table addon for elementor pricing-table-addon-for-elementor allows PHP Local File Inclusion.This issue…
- CVE-2024-52501HIGHCVSS 7.5EG 7.52024-11-28
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebbyTemplate Office Locator office-locator.This issue affects Office Locator: from n/a through <= 1.3.0.
- CVE-2024-5345HIGHCVSS 8.8EG 8.82024-05-31
The Responsive Owl Carousel for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.2.0 via the layout parameter. This makes it possible for authenticated attackers, with Contributor…
- CVE-2024-5348HIGHCVSS 8.8EG 8.82024-06-01
The Elements For Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.1 via the 'beforeafter_layout' attribute of the beforeafter widget, the 'eventsgrid_layout' attribute of the even…
Map vulnerabilities like CWE-98 to your infrastructure
EchelonGraph correlates every CVE — across CWE-98 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →