Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Alex Furr LinkedIn Lite linkedin-lite allows PHP Local File Inclusion.This issue affects LinkedIn Lite: from n/a through <= 1.0.
Published: 2025-03-26
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper control of the filename used in a PHP include/require statement allows local file inclusion within the LinkedIn Lite WordPress plugin. The flaw can enable an attacker to read sensitive files on the server or execute code that resides on the file system, leading to data exposure or full server compromise. This vulnerability is catalogued as CWE-98, highlighting the weakness in unrestricted file inclusion.

Affected Systems

The issue impacts the LinkedIn Lite plugin for WordPress authored by Alex Furr, affecting all versions from the initial release through and including version 1.0. Any WordPress site that has this plugin installed and running these affected versions is susceptible.

Risk and Exploitability

With a CVSS score of 8.1 the flaw presents a high severity level. The EPSS score is listed as less than 1 %, indicating a low probability of exploitation at this time, and it is not currently included in the CISA KEV catalog. The attacker’s ability to exploit this vulnerability would typically require access to the WordPress installation, either by remote means that can trigger the include path or via an existing local vulnerability that grants file write or read capabilities. Given these conditions, the risk remains moderate to high for installations running the affected plugin.

Generated by OpenCVE AI on May 1, 2026 at 13:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LinkedIn Lite to the latest available version, which removes the insecure include handling.
  • If upgrading is not immediately possible, remove the LinkedIn Lite plugin from the WordPress site until a fix is available.
  • Restrict file system permissions on the WordPress directory so that PHP cannot read or execute arbitrary files outside the intended scope.

Generated by OpenCVE AI on May 1, 2026 at 13:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8183 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound LinkedIn Lite allows PHP Local File Inclusion. This issue affects LinkedIn Lite: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound LinkedIn Lite allows PHP Local File Inclusion. This issue affects LinkedIn Lite: from n/a through 1.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Alex Furr LinkedIn Lite linkedin-lite allows PHP Local File Inclusion.This issue affects LinkedIn Lite: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 26 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound LinkedIn Lite allows PHP Local File Inclusion. This issue affects LinkedIn Lite: from n/a through 1.0.
Title WordPress LinkedIn Lite Plugin <= 1.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:55:09.534Z

Reserved: 2025-01-16T11:32:32.178Z

Link: CVE-2025-23937

cve-icon Vulnrichment

Updated: 2025-03-26T15:32:08.573Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T15:16:06.673

Modified: 2026-04-23T15:24:49.060

Link: CVE-2025-23937

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:30:17Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')