Total
1113 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-60126 | 2 Pluginops, Wordpress | 2 Testimonial Slider, Wordpress | 2026-04-15 | N/A |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PluginOps Testimonial Slider testimonial-add allows PHP Local File Inclusion.This issue affects Testimonial Slider: from n/a through <= 3.5.8.6. | ||||
| CVE-2025-60204 | 3 Josh Kohlbach, Woocommerce, Wordpress | 3 Woocommerce Store Toolkit, Woocommerce, Wordpress | 2026-04-15 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Josh Kohlbach WooCommerce Store Toolkit woocommerce-store-toolkit allows PHP Local File Inclusion.This issue affects WooCommerce Store Toolkit: from n/a through <= 2.4.3. | ||||
| CVE-2024-8392 | 2026-04-15 | 7.2 High | ||
| The WordPress Post Grid Layouts with Pagination – Sogrid plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.6 via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This can also be exploited via CSRF techniques. | ||||
| CVE-2026-39538 | 2 Mikado-themes, Wordpress | 2 Mikado Core, Wordpress | 2026-04-14 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Mikado Core mikado-core allows PHP Local File Inclusion.This issue affects Mikado Core: from n/a through <= 1.6. | ||||
| CVE-2026-34787 | 1 Emlog | 1 Emlog | 2026-04-14 | 6.5 Medium |
| Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a require_once path without proper sanitization. If the CSRF token check can be bypassed (see potential bypass conditions), an attacker can include arbitrary PHP files from the server filesystem, leading to code execution. At time of publication, there are no publicly available patches. | ||||
| CVE-2026-39677 | 2 Creatives Planet, Wordpress | 2 Emphires, Wordpress | 2026-04-14 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Emphires emphires allows PHP Local File Inclusion.This issue affects Emphires: from n/a through <= 3.9. | ||||
| CVE-2026-39679 | 2 Apustheme, Wordpress | 2 Freeio, Wordpress | 2026-04-14 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through <= 1.3.21. | ||||
| CVE-2026-39681 | 2 Apustheme, Wordpress | 2 Homeo, Wordpress | 2026-04-14 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Homeo homeo allows PHP Local File Inclusion.This issue affects Homeo: from n/a through <= 1.2.59. | ||||
| CVE-2025-5804 | 2 Case-themes, Wordpress | 2 Case Theme User, Wordpress | 2026-04-13 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a before 1.0.4. | ||||
| CVE-2025-58913 | 2 Cactusthemes, Wordpress | 2 Videopro, Wordpress | 2026-04-13 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through 2.3.8.1. | ||||
| CVE-2026-39611 | 2 Kutethemes, Wordpress | 2 Kuteshop, Wordpress | 2026-04-13 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes KuteShop kuteshop allows PHP Local File Inclusion.This issue affects KuteShop: from n/a through <= 4.2.9. | ||||
| CVE-2026-39613 | 2 Kutethemes, Wordpress | 2 Boutique, Wordpress | 2026-04-13 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Boutique kute-boutique allows PHP Local File Inclusion.This issue affects Boutique: from n/a through <= 2.3.3. | ||||
| CVE-2026-39623 | 2 Kutethemes, Wordpress | 2 Biolife, Wordpress | 2026-04-10 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.This issue affects Biolife: from n/a through <= 3.2.3. | ||||
| CVE-2026-39684 | 2 Untheme, Wordpress | 2 Organicfood, Wordpress | 2026-04-10 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in UnTheme OrganicFood organicfood allows PHP Local File Inclusion.This issue affects OrganicFood: from n/a through <= 3.6.4. | ||||
| CVE-2018-25231 | 1 Heidisql | 1 Heidisql | 2026-04-08 | 6.2 Medium |
| HeidiSQL 9.5.0.5196 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long file path in the logging preferences. Attackers can input a buffer-overflow payload through the SQL log file path field in Preferences > Logging to trigger an application crash. | ||||
| CVE-2024-4551 | 1 Yotuwp | 1 Video Gallery | 2026-04-08 | 6.4 Medium |
| The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the display function. This makes it possible for authenticated attackers, with contributor access and higher, to include and execute arbitrary php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2024-4359 | 1 Bdthemes | 1 Element Pack | 2026-04-08 | 6.5 Medium |
| The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 5.7.2 via the SVG widget and a lack of sufficient file validation in the render_svg function. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2024-3564 | 1 Vanderwijk | 1 Content Blocks | 2026-04-08 | 8.8 High |
| The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the plugin's 'content_block' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2024-3500 | 1 Wpmet | 1 Elementskit | 2026-04-08 | 8.8 High |
| The ElementsKit Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.0 via the Price Menu, Hotspot, and Advanced Toggle widgets. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. CVE-2024-43996 is potentially a duplicate of this issue. | ||||
| CVE-2024-2411 | 1 Stylemixthemes | 1 Masterstudy Lms | 2026-04-08 | 9.8 Critical |
| The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'modal' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||