Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Michele Giorgi Formality formality allows PHP Local File Inclusion.This issue affects Formality: from n/a through <= 1.5.7.
Published: 2025-03-26
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper control of the filename used in an include/require statement within the Formality plugin. This flaw permits an attacker to cause the plugin to include arbitrary local files, potentially leading to the execution of attacker‑supplied PHP code or disclosure of confidential files. The weakness corresponds to CWE‑98, which represents a lack of validation on file names during inclusion operations. The result is a compromise of confidentiality, integrity, and possibly availability of the affected WordPress site.

Affected Systems

The Formality plugin, developed by Michele Giorgi, is vulnerable in all released versions up to and including 1.5.7. WordPress sites that have installed an affected version of this plugin are at risk. No other vendors or product versions are listed as affected.

Risk and Exploitability

The CVSS score of 8.1 classifies this flaw as high severity. The EPSS score of less than 1 percent indicates that, as of the current analysis, the likelihood of an exploitation attempt is very low, and it is not listed in the CISA KEV catalog. However, the attack vector is likely remote, via an exposed form or input that triggers the inclusion logic. An attacker could supply a crafted file path through the form interface to gain access to local files or execute code. While the probability of exploitation remains small, the potential impact warrants prompt remediation.

Generated by OpenCVE AI on May 2, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Formality plugin to any version newer than 1.5.7, following the vendor’s update guidelines.
  • If a newer version is unavailable, temporarily disable the plugin to eliminate the vulnerable code path until a patch can be applied.
  • As a last resort, manually review and remove the include/require logic that uses unsanitized filenames, and implement strict input validation to allow only safe, whitelisted file paths.

Generated by OpenCVE AI on May 2, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8180 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Michele Giorgi Formality allows PHP Local File Inclusion. This issue affects Formality: from n/a through 1.5.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Michele Giorgi Formality allows PHP Local File Inclusion. This issue affects Formality: from n/a through 1.5.7. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Michele Giorgi Formality formality allows PHP Local File Inclusion.This issue affects Formality: from n/a through <= 1.5.7.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 26 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Michele Giorgi Formality allows PHP Local File Inclusion. This issue affects Formality: from n/a through 1.5.7.
Title WordPress Formality Plugin <= 1.5.7 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:31.978Z

Reserved: 2025-01-23T14:52:14.008Z

Link: CVE-2025-24690

cve-icon Vulnrichment

Updated: 2025-03-26T15:30:28.928Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T15:16:07.407

Modified: 2026-04-23T15:25:17.727

Link: CVE-2025-24690

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:30:16Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')