Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Event Lite fat-event-lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a through <= 1.1.
Published: 2025-01-09
Score: 8.1 High
EPSS: 2.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of the filename used in an include/require statement within the WordPress FAT Event Lite plugin. This flaw, known as a Local File Inclusion, permits an attacker to cause the plugin to include files from the local filesystem without authentication. The weakness is classified as CWE-98, indicating that the application fails to properly validate or sanitize user-supplied filenames before inclusion, potentially exposing confidential files or enabling code execution if a malicious PHP file is served.

Affected Systems

WordPress installations that have the FAT Event Lite plugin version 1.1 or earlier are affected. The plugin is distributed by the vendor RoninWP under the product name FAT Event Lite.

Risk and Exploitability

The issue carries a CVSS score of 8.1 and an EPSS score of 2%, indicating a moderate yet non‑negligible likelihood of exploitation. Attackers can exploit the flaw via unauthenticated requests to the plugin’s inclusion endpoint, potentially reading sensitive files or, in some cases, leading to remote code execution if attacker‑controlled PHP code is included. The vulnerability is not listed in CISA’s KEV catalog, but its high severity and unauthenticated nature warrant prompt remediation.

Generated by OpenCVE AI on May 1, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FAT Event Lite plugin to a version newer than 1.1 that addresses the Local File Inclusion flaw.
  • If an upgrade cannot be performed immediately, disable or delete the plugin from the WordPress installation to eliminate the attack surface.
  • As a temporary precaution, enforce PHP configuration settings that restrict file inclusion, such as setting allow_url_include to Off, enabling open_basedir limits, and validating all file paths before inclusion to align with CWE‑98 mitigation practices.

Generated by OpenCVE AI on May 1, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2789 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roninwp FAT Event Lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a through 1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roninwp FAT Event Lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a through 1.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Event Lite fat-event-lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a through <= 1.1.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 10 Jan 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roninwp FAT Event Lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a through 1.1.
Title WordPress FAT Event Lite plugin <= 1.1 - Unauthenticated Non-Arbitrary Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:00.537Z

Reserved: 2025-01-07T10:22:41.465Z

Link: CVE-2025-22508

cve-icon Vulnrichment

Updated: 2025-01-10T20:20:06.683Z

cve-icon NVD

Status : Deferred

Published: 2025-01-09T16:16:27.433

Modified: 2026-04-23T15:23:07.293

Link: CVE-2025-22508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:00:14Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')