Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zankover Fami Sales Popup fami-sales-popup allows PHP Local File Inclusion.This issue affects Fami Sales Popup: from n/a through <= 2.0.0.
Published: 2025-02-07
Score: 7.5 High
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper control of the filename used in PHP include/require statements in the Fami Sales Popup plugin. An attacker can manipulate input to cause the plugin to include an arbitrary local file, which may result in disclosure of sensitive data or execution of arbitrary PHP code. The weakness corresponds to CWE‑98 and is rated as a high‑severity issue due to the potential for remote code execution if the web server runs the included file.

Affected Systems

Affected systems are installations of the WordPress plugin Fami Sales Popup produced by zankover. Any instance using version 2.0.0 or earlier is vulnerable. The vulnerability affects all releases from the initial version up to and including 2.0.0.

Risk and Exploitability

The CVSS base score of 7.5 indicates a high risk, and the EPSS score of 1% shows a low but non‑negligible probability of exploitation in the field. The vulnerability is not currently listed in the CISA KEV catalog. Attackers are likely to exploit the issue by accessing the plugin’s vulnerable parameters through the web interface, potentially triggering the include with a crafted path. No additional prerequisites are documented, but the plugin must be reachable over HTTP/HTTPS for the attack to succeed.

Generated by OpenCVE AI on May 1, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Fami Sales Popup plugin to a version newer than 2.0.0 that removes the vulnerable include logic.
  • If an update is not immediately available, disable or completely remove the plugin from the WordPress installation to eliminate the attack surface.
  • Apply strict file permissions and enforce a safe include path in the server configuration to prevent unintended local file inclusion.

Generated by OpenCVE AI on May 1, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4052 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zankover Fami Sales Popup allows PHP Local File Inclusion. This issue affects Fami Sales Popup: from n/a through 2.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zankover Fami Sales Popup allows PHP Local File Inclusion. This issue affects Fami Sales Popup: from n/a through 2.0.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zankover Fami Sales Popup fami-sales-popup allows PHP Local File Inclusion.This issue affects Fami Sales Popup: from n/a through <= 2.0.0.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 12 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 07 Feb 2025 10:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zankover Fami Sales Popup allows PHP Local File Inclusion. This issue affects Fami Sales Popup: from n/a through 2.0.0.
Title WordPress Fami Sales Popup plugin <= 2.0.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:36.841Z

Reserved: 2025-02-03T13:35:08.293Z

Link: CVE-2025-25141

cve-icon Vulnrichment

Updated: 2025-02-12T20:45:09.248Z

cve-icon NVD

Status : Deferred

Published: 2025-02-07T10:15:19.200

Modified: 2026-04-23T15:25:41.227

Link: CVE-2025-25141

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T17:00:11Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')