Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Calculator Builder calculator-builder allows PHP Local File Inclusion.This issue affects Calculator Builder: from n/a through <= 1.6.2.
Published: 2025-02-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to provide an arbitrary file path to a PHP include/require statement within the Wow‑Company Calculator Builder plugin. Based on the description, it is inferred that the attacker could read local files from the server or, if the supplied file contains executable code, trigger its execution. The weakness is a classic improper validation of the filename used in a PHP include, leading to Local File Inclusion.

Affected Systems

WordPress sites that have installed the Wow‑Company Calculator Builder plugin in version 1.6.2 or earlier are affected. All installations of these plugin versions are at risk; newer releases (1.6.3 and later) are presumed to contain a fix.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a very low current exploitation probability. The CVE is not listed in the CISA KEV catalog and no public exploits have been reported. Based on the description, it is inferred that the likely attack vector involves web requests targeting the plugin’s file inclusion functionality, requiring only a normal user-level authentication to the WordPress site to trigger the vulnerability.

Generated by OpenCVE AI on May 2, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Calculator Builder plugin to a version 1.6.3 or later that includes proper validation of include paths.
  • If an upgrade is not immediately possible, limit the accessible endpoints of the plugin by configuring web‑server rules (e.g., .htaccess or nginx) to block requests that contain inclusion parameters.
  • Rewrite or patch the plugin’s code to enforce a whitelist of allowed include paths, ensuring all user‑supplied filenames are sanitized and that no arbitrary file references can be constructed, in line with CWE‑98 remediation practices.

Generated by OpenCVE AI on May 2, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4429 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Calculator Builder allows PHP Local File Inclusion. This issue affects Calculator Builder: from n/a through 1.6.2.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Calculator Builder allows PHP Local File Inclusion. This issue affects Calculator Builder: from n/a through 1.6.2. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Calculator Builder calculator-builder allows PHP Local File Inclusion.This issue affects Calculator Builder: from n/a through <= 1.6.2.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 24 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 22 Feb 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Calculator Builder allows PHP Local File Inclusion. This issue affects Calculator Builder: from n/a through 1.6.2.
Title WordPress Calculator Builder plugin <= 1.6.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wow-company Calculator-builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T23:50:36.978Z

Reserved: 2025-02-14T06:53:32.111Z

Link: CVE-2025-26760

cve-icon Vulnrichment

Updated: 2025-02-24T14:24:15.806Z

cve-icon NVD

Status : Deferred

Published: 2025-02-22T16:15:31.633

Modified: 2026-04-29T10:16:42.370

Link: CVE-2025-26760

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:30:16Z

Weaknesses