Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Webarea Background animation blocks background-animation-blocks allows PHP Local File Inclusion.This issue affects Background animation blocks: from n/a through <= 2.1.5.
Published: 2025-01-22
Score: 8.1 High
EPSS: 1.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Background animation blocks plugin contains a flaw that allows an attacker to supply an arbitrary filename to an include/require statement in PHP. This improper handling of filenames (CWE‑98) permits local file inclusion, enabling the reader of any file accessible to the web server. If the included file is a PHP script, the attacker may be able to execute code, otherwise file contents can be exposed. The CVSS score of 8.1 reflects the potential impact on confidentiality, integrity, and availability.

Affected Systems

Webarea’s Background animation blocks plugin is affected in all releases from the initial release up through version 2.1.5. Any installation using v2.1.5 or lower is vulnerable.

Risk and Exploitability

The vulnerability can be exploited when the attacker can influence the filename parameter supplied to the plugin, which may be possible through the plugin’s configuration interface or by manipulating the URL. The EPSS score of 1 % indicates a low but non‑zero probability of exploitation, yet the high CVSS rating signals a rapid escalation risk if exploited. The flaw is not listed in the CISA KEV catalogue, but given its severity and potential for data exposure or code execution, it should be treated with urgency.

Generated by OpenCVE AI on May 1, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Background animation blocks plugin to the latest release (2.1.6 or newer) which removes the local file inclusion flaw.
  • Disable the plugin entirely if an upgrade cannot be performed immediately to prevent any exploitation paths.
  • Validate any user‑supplied filename inputs on the server side, ensuring they match a strict whitelist of allowed files and that PHP’s allow_url_include is disabled to eliminate remote inclusion possibility.
  • Review server file permissions and ensure that the web root does not expose sensitive files to the plugin’s include mechanism.

Generated by OpenCVE AI on May 1, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3561 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebArea Background animation blocks allows PHP Local File Inclusion. This issue affects Background animation blocks: from n/a through 2.1.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebArea Background animation blocks allows PHP Local File Inclusion. This issue affects Background animation blocks: from n/a through 2.1.5. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Webarea Background animation blocks background-animation-blocks allows PHP Local File Inclusion.This issue affects Background animation blocks: from n/a through <= 2.1.5.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 22 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebArea Background animation blocks allows PHP Local File Inclusion. This issue affects Background animation blocks: from n/a through 2.1.5.
Title WordPress Background animation blocks Plugin <= 2.1.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:06:54.794Z

Reserved: 2025-01-16T11:32:45.573Z

Link: CVE-2025-23948

cve-icon Vulnrichment

Updated: 2025-01-22T15:24:53.641Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:26.383

Modified: 2026-04-23T15:24:50.347

Link: CVE-2025-23948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:30:23Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')