Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nitin Prakash WC Place Order Without Payment wc-place-order-without-payment allows PHP Local File Inclusion.This issue affects WC Place Order Without Payment: from n/a through <= 2.6.7.
Published: 2025-03-10
Score: 7.5 High
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filename in a PHP include/require statement, enabling a local file inclusion (LFI) attack against the Nitin Prakash WC Place Order Without Payment WordPress plugin. An attacker could read arbitrary files on the server, potentially exposing sensitive configuration, log, or authentication data and providing a foothold for further compromise. The weakness is classified as CWE-98.

Affected Systems

This issue affects the WordPress WooCommerce plugin named WC Place Order Without Payment by Nitin Prakash, versions up to and including 2.6.7. Any WordPress site that has installed a vulnerable version of the plugin is at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, and the EPSS score of 1% suggests a low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, meaning no known active exploits are reported. The likely attack vector is local; an attacker could trigger the vulnerable include by sending a crafted request that manipulates the filename used by the plugin. Successful exploitation could expose sensitive files or act as a foothold for further attacks.

Generated by OpenCVE AI on May 2, 2026 at 03:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the "WC Place Order Without Payment" plugin to version 2.6.8 or newer, which removes the vulnerable file inclusion logic.
  • If an update cannot be applied immediately, disable the plugin to eliminate the active inclusion path until a fix is available.
  • Apply server‑side file permission restrictions or use a WordPress security plugin that blocks direct access to sensitive files and directories, thereby reducing the impact of any remaining inclusion vulnerabilities.

Generated by OpenCVE AI on May 2, 2026 at 03:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7720 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nitin Prakash WC Place Order Without Payment allows PHP Local File Inclusion. This issue affects WC Place Order Without Payment: from n/a through 2.6.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nitin Prakash WC Place Order Without Payment allows PHP Local File Inclusion. This issue affects WC Place Order Without Payment: from n/a through 2.6.7. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nitin Prakash WC Place Order Without Payment wc-place-order-without-payment allows PHP Local File Inclusion.This issue affects WC Place Order Without Payment: from n/a through <= 2.6.7.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 11 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 10 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nitin Prakash WC Place Order Without Payment allows PHP Local File Inclusion. This issue affects WC Place Order Without Payment: from n/a through 2.6.7.
Title WordPress Place Order Without Payment for WooCommerce plugin <= 2.6.7 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:44.332Z

Reserved: 2025-02-17T11:51:10.110Z

Link: CVE-2025-26933

cve-icon Vulnrichment

Updated: 2025-03-10T16:59:48.952Z

cve-icon NVD

Status : Deferred

Published: 2025-03-10T15:15:37.997

Modified: 2026-04-23T15:26:05.913

Link: CVE-2025-26933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:45:33Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')