Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Essential Real Estate essential-real-estate allows PHP Local File Inclusion.This issue affects Essential Real Estate: from n/a through <= 5.2.0.
Published: 2025-04-01
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper control of the filename used in PHP’s include/require statements in the Essential Real Estate plugin allows an attacker who can influence the file path to load local files from the server. The attacker may obtain sensitive files or execute code if a PHP file is included, exposing the web‑server process’s privileges and potentially enabling remote code execution.

Affected Systems

The vulnerability affects all installations of WordPress Essential Real Estate by g5theme through version 5.2.0, which are found in WordPress environments.

Risk and Exploitability

The CVSS score of 8.1 highlights the high severity of the issue. While the EPSS score is below 1% indicating a low current exploitation probability, the flaw remains serious due to its simplicity and lack of authentication. The attack path is straightforward: a malicious actor can craft a request that passes an unchecked file path to the plugin’s include mechanism, requiring no prior login. Because of the potential for sensitive data disclosure and code execution, the risk to impacted sites is high and warrants prompt action.

Generated by OpenCVE AI on May 1, 2026 at 12:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Essential Real Estate plugin to the latest version that contains the LFI fix.
  • If an upgrade cannot be performed immediately, disable the plugin to eliminate the vulnerable code path.
  • Ensure the WordPress core is up‑to‑date and set allow_url_fopen to Off in php.ini to reduce inclusion risk.

Generated by OpenCVE AI on May 1, 2026 at 12:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9097 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Essential Real Estate allows PHP Local File Inclusion. This issue affects Essential Real Estate: from n/a through 5.2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Essential Real Estate allows PHP Local File Inclusion. This issue affects Essential Real Estate: from n/a through 5.2.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Essential Real Estate essential-real-estate allows PHP Local File Inclusion.This issue affects Essential Real Estate: from n/a through <= 5.2.0.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 27 May 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared G5plus
G5plus essential Real Estate
Weaknesses CWE-706
CPEs cpe:2.3:a:g5plus:essential_real_estate:*:*:*:*:*:wordpress:*:*
Vendors & Products G5plus
G5plus essential Real Estate

Tue, 01 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 05:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Essential Real Estate allows PHP Local File Inclusion. This issue affects Essential Real Estate: from n/a through 5.2.0.
Title WordPress Essential Real Estate plugin <= 5.2.0 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

G5plus Essential Real Estate
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:58.855Z

Reserved: 2025-03-26T09:20:54.385Z

Link: CVE-2025-30849

cve-icon Vulnrichment

Updated: 2025-04-01T16:33:58.827Z

cve-icon NVD

Status : Modified

Published: 2025-04-01T06:15:53.063

Modified: 2026-04-23T15:27:11.327

Link: CVE-2025-30849

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T12:15:17Z

Weaknesses