Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FULL SERVICES FULL Customer full-customer allows PHP Local File Inclusion.This issue affects FULL Customer: from n/a through <= 3.1.26.
Published: 2025-02-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from improper control of the filename used in an include/require statement, allowing a local file to be included by the plugin. This flaw can enable an attacker to read arbitrary files on the server or, if the included file contains PHP code, to execute it, leading to significant compromise of confidentiality, integrity, or availability. The weakness is identified as CWE-98.

Affected Systems

The affected product is the FULL Customer "full-customer" plugin for WordPress, versions up to and including 3.1.26, from version n/a through 3.1.26, distributed by FULL SERVICES:FULL Customer.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. The EPSS score is below 1 %, suggesting that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Though the attack vector is local file inclusion, an attacker who can influence the include path could inject arbitrary local files, potentially achieving remote code execution if the server permits execution of included files. The exploit path requires the attacker to have a way to influence the file path—such as through input parameters—so it is not a purely automatic remote exploit but could be leveraged once the web application is compromised or if the attacker gains access to the site’s content management interface.

Generated by OpenCVE AI on May 1, 2026 at 15:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FULL Customer plugin to a version newer than 3.1.26 if an official patch is available.
  • If a newer version cannot be obtained, remove or disable the plugin entirely to eliminate the vulnerable code path.
  • Configure the web server and PHP to remove the ability to include arbitrary files, such as setting allow_url_include to Off and restricting the include_path and file permissions to the minimal required set.

Generated by OpenCVE AI on May 1, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4427 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FULL SERVICES FULL Customer allows PHP Local File Inclusion. This issue affects FULL Customer: from n/a through 3.1.26.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FULL SERVICES FULL Customer allows PHP Local File Inclusion. This issue affects FULL Customer: from n/a through 3.1.26. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FULL SERVICES FULL Customer full-customer allows PHP Local File Inclusion.This issue affects FULL Customer: from n/a through <= 3.1.26.
References

Mon, 24 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 22 Feb 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FULL SERVICES FULL Customer allows PHP Local File Inclusion. This issue affects FULL Customer: from n/a through 3.1.26.
Title WordPress FULL – Cliente plugin <= 3.1.26 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:54.355Z

Reserved: 2025-02-14T06:53:23.368Z

Link: CVE-2025-26757

cve-icon Vulnrichment

Updated: 2025-02-24T14:26:23.114Z

cve-icon NVD

Status : Deferred

Published: 2025-02-22T16:15:31.493

Modified: 2026-04-29T10:16:42.230

Link: CVE-2025-26757

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:00:16Z

Weaknesses