Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Adrian Tobey WordPress SMTP Service, Email Delivery Solved! — MailHawk mailhawk allows PHP Local File Inclusion.This issue affects WordPress SMTP Service, Email Delivery Solved! — MailHawk: from n/a through <= 1.3.1.
Published: 2025-04-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adrian Tobey’s MailHawk plugin for WordPress contains a Validate File Input weakness that allows an attacker to control the filename used in a PHP include or require statement. The flaw is classified as CWE‑98 and can lead to local file inclusion, which may expose sensitive files or enable the execution of arbitrary PHP code if a malicious file is included. Consequently, an attacker could read configuration data or gain remote code execution on the affected system.

Affected Systems

WordPress sites that have the MailHawk plugin installed, from its initial release through version 1.3.1. All versions of the plugin up to and including 1.3.1 are susceptible; any site running these versions should be considered vulnerable.

Risk and Exploitability

The CVSS base score is 7.5, indicating significant impact. The EPSS score is < 1 %, suggesting exploit attempts are rare, and the vulnerability is not listed in the CISA KEV catalog. Still, the lack of hardening around the include mechanism means that an attacker who can influence the plugin’s filename logic—likely via a crafted HTTP request—could read arbitrary files or execute code if a local file containing PHP is included.

Generated by OpenCVE AI on May 21, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MailHawk plugin to a version newer than 1.3.1 once an official patch becomes available.
  • If an update is not immediately possible, disable or uninstall the MailHawk plugin to remove the vulnerable code path.
  • Configure the web server to enforce strict file permissions and restrict the PHP include paths to prevent access to sensitive files, and monitor the site for anomalous inclusion attempts.

Generated by OpenCVE AI on May 21, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10793 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Adrian Tobey WordPress SMTP Service, Email Delivery Solved! — MailHawk allows PHP Local File Inclusion. This issue affects WordPress SMTP Service, Email Delivery Solved! — MailHawk: from n/a through 1.3.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Adrian Tobey WordPress SMTP Service, Email Delivery Solved! — MailHawk allows PHP Local File Inclusion. This issue affects WordPress SMTP Service, Email Delivery Solved! — MailHawk: from n/a through 1.3.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Adrian Tobey WordPress SMTP Service, Email Delivery Solved! — MailHawk mailhawk allows PHP Local File Inclusion.This issue affects WordPress SMTP Service, Email Delivery Solved! — MailHawk: from n/a through <= 1.3.1.
Title WordPress WordPress SMTP Service, Email Delivery Solved! — MailHawk <= 1.3.1 - Local File Inclusion Vulnerability WordPress SMTP Service, Email Delivery Solved! — MailHawk plugin <= 1.3.1 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 11 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Adrian Tobey WordPress SMTP Service, Email Delivery Solved! — MailHawk allows PHP Local File Inclusion. This issue affects WordPress SMTP Service, Email Delivery Solved! — MailHawk: from n/a through 1.3.1.
Title WordPress WordPress SMTP Service, Email Delivery Solved! — MailHawk <= 1.3.1 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:03.629Z

Reserved: 2025-03-26T09:23:06.940Z

Link: CVE-2025-31015

cve-icon Vulnrichment

Updated: 2025-04-11T13:46:07.675Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:19.593

Modified: 2026-04-23T15:27:32.063

Link: CVE-2025-31015

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T15:00:11Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')