Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeAtelier IDonatePro idonate-pro allows PHP Local File Inclusion.This issue affects IDonatePro: from n/a through <= 2.1.9.
Published: 2025-08-14
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The IDonatePro plugin includes a PHP include/require that does not sanitise user‑supplied filenames, allowing an attacker to specify arbitrary paths. This flaw is a Local File Inclusion vulnerability (CWE‑98) that can enable the reading of sensitive files on the server or, in some configurations, execution of arbitrary PHP code. If the attacker can supply a path to a writable file or a crafted PHP file, the application may execute it, potentially compromising the entire WordPress site.

Affected Systems

The affected product is the WordPress plugin ThemeAtelier IDonatePro, versions up to and including 2.1.9. All installations of this plugin that have not been updated beyond 2.1.9 are vulnerable.

Risk and Exploitability

The high CVSS score of 8.1 indicates severe potential impact if exploited. However, the EPSS score of <1% suggests that current exploitation is rare. The likely attack vector is an HTTP request that controls the include parameter, potentially from an authenticated or unauthenticated user. Although offline exploitation is possible, the vulnerability could also lead to remote code execution if an attacker can write or point to a PHP file. No report of current exploitation or KEV inclusion further indicates low immediate threat, but the impact remains significant.

Generated by OpenCVE AI on April 30, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the IDonatePro plugin to the latest version that contains the fix
  • If an upgrade cannot be performed immediately, remove or disable the plugin functionality that relies on the vulnerable include statement
  • Implement input validation to disallow arbitrary paths or restrict file inclusion to a predefined whitelist

Generated by OpenCVE AI on April 30, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24738 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeAtelier IDonatePro allows PHP Local File Inclusion. This issue affects IDonatePro: from n/a through 2.1.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeAtelier IDonatePro allows PHP Local File Inclusion. This issue affects IDonatePro: from n/a through 2.1.9. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeAtelier IDonatePro idonate-pro allows PHP Local File Inclusion.This issue affects IDonatePro: from n/a through <= 2.1.9.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Themeatelier
Themeatelier idonate
Wordpress
Wordpress wordpress
Vendors & Products Themeatelier
Themeatelier idonate
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeAtelier IDonatePro allows PHP Local File Inclusion. This issue affects IDonatePro: from n/a through 2.1.9.
Title WordPress IDonatePro <= 2.1.9 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themeatelier Idonate
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:56.536Z

Reserved: 2025-03-24T13:01:06.202Z

Link: CVE-2025-30635

cve-icon Vulnrichment

Updated: 2025-08-14T15:02:58.243Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:32.570

Modified: 2026-04-23T15:27:00.707

Link: CVE-2025-30635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:30:16Z

Weaknesses