Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in webangon The Pack Elementor addons the-pack-addon allows PHP Local File Inclusion.This issue affects The Pack Elementor addons: from n/a through <= 2.1.1.
Published: 2025-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from improper control of the filename used in include/require statements within the Pack Elementor addons plugin, categorised as CWE‑98. An attacker can induce the plugin to include arbitrary local files, potentially exposing sensitive configuration files or enabling remote code execution if paired with other weaknesses. The flaw directly compromises the confidentiality and integrity of the WordPress installation where the plugin is deployed.

Affected Systems

WordPress sites running the Pack Elementor addons plugin provided by webangon, from the earliest release through version 2.1.1, are affected.

Risk and Exploitability

The CVSS score of 7.5 signals a high severity, while the EPSS score of less than 1% indicates that exploitation is currently expected to be rare and the issue is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the likely attack vector is a crafted HTTP request that manipulates the plugin’s filename input, giving an attacker file read or code execution capabilities under certain circumstances. Administrators should view this as a significant risk with a low but non‑zero likelihood of exploitation.

Generated by OpenCVE AI on May 1, 2026 at 12:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pack Elementor addons plugin to a patched version (>=2.1.2).
  • Configure PHP to restrict file inclusion by setting open_basedir to limit filesystem access and disabling allow_url_include.
  • If a patch or secure configuration change is not feasible, disable or remove the vulnerable plugin from the WordPress installation.

Generated by OpenCVE AI on May 1, 2026 at 12:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8343 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in webangon The Pack Elementor addons allows PHP Local File Inclusion. This issue affects The Pack Elementor addons: from n/a through 2.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in webangon The Pack Elementor addons allows PHP Local File Inclusion. This issue affects The Pack Elementor addons: from n/a through 2.1.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in webangon The Pack Elementor addons the-pack-addon allows PHP Local File Inclusion.This issue affects The Pack Elementor addons: from n/a through <= 2.1.1.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in webangon The Pack Elementor addons allows PHP Local File Inclusion. This issue affects The Pack Elementor addons: from n/a through 2.1.1.
Title WordPress The Pack Elementor addons plugin <= 2.1.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Webangon The Pack Elementor Addons
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:58.639Z

Reserved: 2025-03-26T09:20:54.384Z

Link: CVE-2025-30845

cve-icon Vulnrichment

Updated: 2025-03-27T13:58:54.749Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:45.643

Modified: 2026-04-23T15:27:10.877

Link: CVE-2025-30845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:00:12Z

Weaknesses