Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Event Lite fat-event-lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a through <= 1.1.
Published: 2025-01-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of the filename used in an include/require statement within the WordPress FAT Event Lite plugin. This flaw, known as a Local File Inclusion, likely permits an attacker to cause the plugin to include files from the local filesystem without authentication. Based on the description, it is inferred that failing to properly validate or sanitize user‑supplied filenames may expose confidential files or enable code execution if a malicious PHP file is served. The weakness is classified as CWE-98.

Affected Systems

WordPress installations that have the FAT Event Lite plugin version 1.1 or earlier are affected. The plugin is distributed by the vendor RoninWP under the product name FAT Event Lite.

Risk and Exploitability

The issue carries a CVSS score of 8.1 and an EPSS score of <1%, indicating a moderate yet non‑negligible likelihood of exploitation. Attackers can exploit the flaw via unauthenticated requests to the plugin’s inclusion endpoint; based on the description, it is inferred that including attacker‑controlled PHP code could lead to remote code execution. The vulnerability is not listed in CISA’s KEV catalog, but its high severity and unauthenticated nature warrant prompt remediation.

Generated by OpenCVE AI on June 18, 2026 at 03:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FAT Event Lite plugin to a version newer than 1.1 that addresses the Local File Inclusion flaw.
  • If an upgrade cannot be performed immediately, disable or delete the plugin from the WordPress installation to eliminate the attack surface.
  • As a temporary precaution, enforce PHP configuration settings that restrict file inclusion, such as setting allow_url_include to Off, enabling open_basedir limits, and validating all file paths before inclusion to align with CWE-98 mitigation practices.

Generated by OpenCVE AI on June 18, 2026 at 03:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2789 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roninwp FAT Event Lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a through 1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roninwp FAT Event Lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a through 1.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Event Lite fat-event-lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a through <= 1.1.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 10 Jan 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 09 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roninwp FAT Event Lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a through 1.1.
Title WordPress FAT Event Lite plugin <= 1.1 - Unauthenticated Non-Arbitrary Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:00.537Z

Reserved: 2025-01-07T10:22:41.465Z

Link: CVE-2025-22508

cve-icon Vulnrichment

Updated: 2025-01-10T20:20:06.683Z

cve-icon NVD

Status : Deferred

Published: 2025-01-09T16:16:27.433

Modified: 2026-06-17T08:47:51.740

Link: CVE-2025-22508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T03:15:04Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')