Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bastien Ho Accounting for WooCommerce accounting-for-woocommerce allows PHP Local File Inclusion.This issue affects Accounting for WooCommerce: from n/a through <= 1.6.8.
Published: 2025-03-31
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper validation of the filename used in a PHP include/require statement allows a local file to be included. This flaw can expose the filesystem or execute attacker‑supplied code if the included file contains malicious content. The vulnerability is identified as CWE‑98. The attack is likely remote, requiring a crafted web request to the plugin’s interface, and would compromise the confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

The issue affects the Accounting for WooCommerce plugin developed by Bastien Ho. All releases from the initial version up to and including 1.6.8 are impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level, while the EPSS score of less than 1% suggests that widespread exploitation is unlikely but possible. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw by manipulating the filename parameter in a remote request, revealing sensitive files or enabling execution of arbitrary code if they can supply a malicious file. The low EPSS indicates that targeted exploitation may occur, but the lack of public exploit evidence suggests the risk is moderate to high depending on exposure.

Generated by OpenCVE AI on May 2, 2026 at 02:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Accounting for WooCommerce plugin to version 1.6.9 or newer.
  • Configure file system permissions to restrict the web server’s ability to read or execute files outside the intended plugin directory, such as wp-content/uploads and other system files.
  • Deploy a Web Application Firewall or use a security plugin that includes LFI detection rules to block requests that attempt to manipulate file inclusion parameters and to log suspicious activity.

Generated by OpenCVE AI on May 2, 2026 at 02:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8711 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bastien Ho Accounting for WooCommerce allows PHP Local File Inclusion. This issue affects Accounting for WooCommerce: from n/a through 1.6.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bastien Ho Accounting for WooCommerce allows PHP Local File Inclusion. This issue affects Accounting for WooCommerce: from n/a through 1.6.8. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bastien Ho Accounting for WooCommerce accounting-for-woocommerce allows PHP Local File Inclusion.This issue affects Accounting for WooCommerce: from n/a through <= 1.6.8.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 31 Mar 2025 13:15:00 +0000

Type Values Removed Values Added
Title WordPress Accounting for WooCommerce plugin <= 1.6.8 - Local File Inclusion vulnerability
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 06:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bastien Ho Accounting for WooCommerce allows PHP Local File Inclusion. This issue affects Accounting for WooCommerce: from n/a through 1.6.8.
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:58.418Z

Reserved: 2025-03-26T09:20:47.108Z

Link: CVE-2025-30835

cve-icon Vulnrichment

Updated: 2025-03-31T12:58:29.285Z

cve-icon NVD

Status : Deferred

Published: 2025-03-31T06:15:30.123

Modified: 2026-06-17T09:09:26.160

Link: CVE-2025-30835

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:00:13Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')