Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in webangon The Pack Elementor addons the-pack-addon allows PHP Local File Inclusion.This issue affects The Pack Elementor addons: from n/a through <= 2.1.1.
Published: 2025-03-27
Score: 7.5 High
EPSS: 2.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Pack Elementor addons plugin contains an improper control for filenames used in include or require statements, which is classified as CWE‑98. The flaw allows supply of a crafted filename that PHP will include, enabling arbitrary local file inclusion. This could expose sensitive files or provide other malicious capabilities as described in the advisory. No explicit mention of remote code execution is made in the provided description.

Affected Systems

WordPress sites running the webangon The Pack Elementor addons plugin, from the earliest releases up through version 2.1.1, are affected.

Risk and Exploitability

The CVSS score of 7.5 signals high severity, while the EPSS score of 2% indicates that exploitation is currently expected to be infrequent. The issue is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the likely attack vector is a crafted HTTP request that manipulates the plugin’s filename input, allowing an attacker to specify arbitrary local file paths for inclusion.

Generated by OpenCVE AI on May 7, 2026 at 15:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pack Elementor addons plugin to version 2.1.2 or later.
  • Configure PHP in the WordPress environment to set open_basedir to a restricted path and disable allow_url_include to mitigate uncontrolled file inclusion.
  • If a patch or configuration change cannot be applied, disable or delete the vulnerable plugin from the WordPress installation.

Generated by OpenCVE AI on May 7, 2026 at 15:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8343 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in webangon The Pack Elementor addons allows PHP Local File Inclusion. This issue affects The Pack Elementor addons: from n/a through 2.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in webangon The Pack Elementor addons allows PHP Local File Inclusion. This issue affects The Pack Elementor addons: from n/a through 2.1.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in webangon The Pack Elementor addons the-pack-addon allows PHP Local File Inclusion.This issue affects The Pack Elementor addons: from n/a through <= 2.1.1.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in webangon The Pack Elementor addons allows PHP Local File Inclusion. This issue affects The Pack Elementor addons: from n/a through 2.1.1.
Title WordPress The Pack Elementor addons plugin <= 2.1.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Webangon The Pack Elementor Addons
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:58.639Z

Reserved: 2025-03-26T09:20:54.384Z

Link: CVE-2025-30845

cve-icon Vulnrichment

Updated: 2025-03-27T13:58:54.749Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:45.643

Modified: 2026-04-23T15:27:10.877

Link: CVE-2025-30845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T15:30:06Z

Weaknesses