Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hockeydata hockeydata LOS hockeydata-los allows PHP Local File Inclusion.This issue affects hockeydata LOS: from n/a through <= 1.2.4.
Published: 2025-04-15
Score: 7.5 High
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Control of Filename for Include/Require Statement in PHP, a Local File Inclusion flaw that allows an attacker to cause the plugin to include arbitrary files from the server. This can expose configuration files, passwords, or other secrets and may serve as a foothold for further exploitation if the included content is executed as code.

Affected Systems

The affected product is the hockeydata LOS WordPress plugin, version 1.2.4 and earlier. All releases in that range are vulnerable.

Risk and Exploitability

The CVSS base score of 7.5 indicates moderate‑to‑high severity, but the EPSS score of less than 1% suggests that exploitation is unlikely in the current environment. Based on the description, it is inferred that the likely attack vector is a crafted HTTP request that triggers the inclusion of a local file, and that the vulnerability does not require authentication, as the plugin includes files without checking user context. The plugin is not listed in the CISA KEV catalog, indicating no widespread exploitation has been reported.

Generated by OpenCVE AI on May 2, 2026 at 08:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the hockeydata LOS plugin to a version newer than 1.2.4 or apply any vendor patch that addresses the local file inclusion fix.
  • If an upgrade is not possible, consider disabling or removing the plugin until a fix is applied.
  • As a temporary measure, restrict file inclusion by configuring PHP’s 'open_basedir' directive or enabling the suhosin extension to limit include paths to trusted directories.

Generated by OpenCVE AI on May 2, 2026 at 08:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10951 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound hockeydata LOS allows PHP Local File Inclusion. This issue affects hockeydata LOS: from n/a through 1.2.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound hockeydata LOS allows PHP Local File Inclusion. This issue affects hockeydata LOS: from n/a through 1.2.4. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hockeydata hockeydata LOS hockeydata-los allows PHP Local File Inclusion.This issue affects hockeydata LOS: from n/a through <= 1.2.4.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 15 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 15 Apr 2025 12:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound hockeydata LOS allows PHP Local File Inclusion. This issue affects hockeydata LOS: from n/a through 1.2.4.
Title WordPress hockeydata LOS plugin <= 1.2.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:42.176Z

Reserved: 2025-02-17T11:50:29.986Z

Link: CVE-2025-26889

cve-icon Vulnrichment

Updated: 2025-04-15T13:19:43.591Z

cve-icon NVD

Status : Deferred

Published: 2025-04-15T12:15:19.907

Modified: 2026-04-23T15:26:00.337

Link: CVE-2025-26889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:45:38Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')