Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidMov vidmov allows PHP Local File Inclusion.This issue affects VidMov: from n/a through <= 1.9.4.
Published: 2025-08-14
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from improper control over the filename used in a PHP include/require statement, allowing an attacker to force the application to include an arbitrary local file. This flaw can enable the attacker to read sensitive files on the server or execute malicious code if the included file is treated as code, representing a local file inclusion flaw (CWE‑98).

Affected Systems

The issue affects the beeteam368:VidMov WordPress theme. Any installation of VidMov with a version up through and including 1.9.4 is impacted; versions newer than 1.9.4 are presumed unaffected.

Risk and Exploitability

The CVSS score of 8.1 denotes high severity, but the EPSS score of <1% indicates that, at present, exploitation is considered unlikely. The vulnerability is not listed in CISA's KEV catalog. Exploitation would likely occur through crafted input that directs the include/require path, such as specific URL parameters or file upload fields, allowing the attacker to include a local file of their choice. No specific prerequisites beyond the ability to influence the include path are stated, so the attack vector is inferred to be local file inclusion via user-controlled input.

Generated by OpenCVE AI on May 1, 2026 at 06:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the beeteam368 VidMov WordPress theme to version 1.9.5 or later, where the include/require logic has been secured.
  • If an upgrade cannot be performed immediately, restrict the file system permissions of files that can be included and disable PHP’s allow_url_fopen directive to mitigate accidental remote file inclusion.
  • Implement input sanitization by whitelisting allowed filenames for inclusion, ensuring that only approved files are processed in the include/require statements.

Generated by OpenCVE AI on May 1, 2026 at 06:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24729 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidMov allows PHP Local File Inclusion. This issue affects VidMov: from n/a through 1.9.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidMov allows PHP Local File Inclusion. This issue affects VidMov: from n/a through 1.9.4. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidMov vidmov allows PHP Local File Inclusion.This issue affects VidMov: from n/a through <= 1.9.4.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 14 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Beeteam368
Beeteam368 vidmov
Wordpress
Wordpress wordpress
Vendors & Products Beeteam368
Beeteam368 vidmov
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidMov allows PHP Local File Inclusion. This issue affects VidMov: from n/a through 1.9.4.
Title WordPress VidMov <= 1.9.4 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Beeteam368 Vidmov
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:37.638Z

Reserved: 2025-02-03T13:35:41.375Z

Link: CVE-2025-25172

cve-icon Vulnrichment

Updated: 2025-08-14T13:28:26.853Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:30.800

Modified: 2026-04-23T15:25:44.910

Link: CVE-2025-25172

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:45:11Z

Weaknesses