Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DeluxeThemes Private Messages for UserPro userpro-messaging.This issue affects Private Messages for UserPro: from n/a through <= 4.10.0.
Published: 2025-01-21
Score: 7.5 High
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper control of a filename in a PHP include/require statement, allowing an attacker to specify any file path. This flaw can enable reading sensitive files on the server or, if the server allows remote file inclusion, executing arbitrary code. The weakness aligns with CWE‑98, highlighting deficient file name validation.

Affected Systems

DeluxeThemes Private Messages for UserPro is affected in versions up to and including 4.10.0. Users running any of those releases should treat their installation as vulnerable to Local File Inclusion.

Risk and Exploitability

The CVSS score of 7.5 reflects a high severity for this flaw, but the EPSS score of less than 1 % indicates a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, suggesting it has not been widely exploited. The likely attack vector is through crafted user input that influences the include/require filename, which could be triggered by normal usage of the messaging feature. With the low EPSS, exploitation is currently unlikely, but the high CVSS warrants reaching mitigation promptly.

Generated by OpenCVE AI on May 1, 2026 at 20:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Private Messages for UserPro plugin to the latest version that removes the LFI flaw; the update should implement proper filename validation or sanitize all include paths.
  • If an immediate update is not possible, disable or remove the component of the plugin that constructs file paths based on user input so that the vulnerable include/require statement cannot be reached.
  • Configure the web server and PHP environment to reject remote file includes by setting allow_url_include to Off and applying file system access controls to eliminate the possibility of reading or executing unintended files.

Generated by OpenCVE AI on May 1, 2026 at 20:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2711 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Private Messages for UserPro. This issue affects Private Messages for UserPro: from n/a through 4.10.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Private Messages for UserPro. This issue affects Private Messages for UserPro: from n/a through 4.10.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DeluxeThemes Private Messages for UserPro userpro-messaging.This issue affects Private Messages for UserPro: from n/a through <= 4.10.0.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 21 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Jan 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Private Messages for UserPro. This issue affects Private Messages for UserPro: from n/a through 4.10.0.
Title WordPress Private Messages for UserPro plugin <= 4.10.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:59.178Z

Reserved: 2025-01-03T13:16:10.260Z

Link: CVE-2025-22311

cve-icon Vulnrichment

Updated: 2025-01-21T15:39:52.100Z

cve-icon NVD

Status : Deferred

Published: 2025-01-21T14:15:09.930

Modified: 2026-04-23T15:22:59.537

Link: CVE-2025-22311

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:15:24Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')