Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Maidul Team Manager wp-team-manager allows PHP Local File Inclusion.This issue affects Team Manager: from n/a through <= 2.1.23.
Published: 2025-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper validation of a filename used in a PHP include statement, allowing an attacker to coerce the server into including local files. This flaw can expose sensitive files such as configuration files or allow the inclusion of files that contain malicious code, potentially leading to local code execution. The weakness is classified as CWE‑98, a known filename isolation problem that undermines data confidentiality and system integrity.

Affected Systems

The issue affects the WordPress Team Manager plugin supplied by Maidul, specifically all releases through version 2.1.23 inclusive. Users operating any older or the same versions of this plugin within a WordPress site are at risk.

Risk and Exploitability

The CVSS score of 7.5 attests to a high severity condition, while the EPSS score of < 1 % indicates that the likelihood of exploitation is currently very low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a local file inclusion attempt triggered via an unsanitized request parameter, which may require site access that includes at least user privileges that can interact with the plugin’s input fields. If someone can supply a crafted filename, they can read arbitrary files and potentially execute code, compromising confidentiality, integrity, and availability at the application level.

Generated by OpenCVE AI on May 1, 2026 at 03:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Team Manager plugin to the latest release that corrects the include logic (any version newer than 2.1.23).
  • If an immediate update is unavailable, enforce strict filename validation by whitelisting only the intended directories and rejecting any path traversal or null byte attempts before passing data to include().
  • Disable PHP functions that can lead to remote or local file inclusion by adding 'disable_functions = include,include_once,require,require_once' to php.ini, and ensure 'allow_url_include' is set to 'Off' to mitigate similar weaknesses.

Generated by OpenCVE AI on May 1, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8324 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DynamicWebLab Team Manager allows PHP Local File Inclusion. This issue affects Team Manager: from n/a through 2.1.23.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DynamicWebLab Team Manager allows PHP Local File Inclusion. This issue affects Team Manager: from n/a through 2.1.23. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Maidul Team Manager wp-team-manager allows PHP Local File Inclusion.This issue affects Team Manager: from n/a through <= 2.1.23.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DynamicWebLab Team Manager allows PHP Local File Inclusion. This issue affects Team Manager: from n/a through 2.1.23.
Title WordPress Team Manager plugin <= 2.1.23 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:59.260Z

Reserved: 2025-03-26T09:21:08.359Z

Link: CVE-2025-30868

cve-icon Vulnrichment

Updated: 2025-03-27T13:15:48.132Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:48.103

Modified: 2026-04-23T15:27:13.577

Link: CVE-2025-30868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:00:06Z

Weaknesses