Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Crocoblock JetWooBuilder jet-woo-builder allows PHP Local File Inclusion.This issue affects JetWooBuilder: from n/a through <= 2.1.18.
Published: 2025-03-31
Score: 7.5 High
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Crocoblock JetWooBuilder WordPress plugin contains a flaw where a filename is improperly controlled before being passed to a PHP include/require statement. This weakness, classified as CWE‑98, permits a local file inclusion in the JetWooBuilder environment.

Affected Systems

The vulnerability impacts JetWooBuilder installations from the earliest release through version 2.1.18 on WordPress sites. Any site running a version older than or equal to 2.1.18 is potentially exposed, while newer releases are not affected.

Risk and Exploitability

A CVSS score of 7.5 indicates high severity, and an EPSS score of 1% suggests a low current exploitation probability. The plugin is not listed in the CISA KEV catalog. The official description does not specify an exact attack vector, but the vulnerability allows local file inclusion within the application context.

Generated by OpenCVE AI on May 12, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update JetWooBuilder to version 2.1.19 or later to apply the fix for the filename validation issue.
  • If an update cannot be applied immediately, disable the JetWooBuilder plugin or limit access to any administrative pages that may trigger the vulnerable include logic.
  • Configure the web server and PHP to disable allow_url_include, enforce strict path validation on include/require calls, and consider applying a web application firewall rule that blocks suspicious file path parameters.

Generated by OpenCVE AI on May 12, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8708 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound JetWooBuilder allows PHP Local File Inclusion. This issue affects JetWooBuilder: from n/a through 2.1.18.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound JetWooBuilder allows PHP Local File Inclusion. This issue affects JetWooBuilder: from n/a through 2.1.18. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Crocoblock JetWooBuilder jet-woo-builder allows PHP Local File Inclusion.This issue affects JetWooBuilder: from n/a through <= 2.1.18.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 31 Mar 2025 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Crocoblock JetWooBuilder allows PHP Local File Inclusion.This issue affects JetWooBuilder: from n/a through 2.1.18. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound JetWooBuilder allows PHP Local File Inclusion. This issue affects JetWooBuilder: from n/a through 2.1.18.

Mon, 31 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound JetWooBuilder allows PHP Local File Inclusion. This issue affects JetWooBuilder: from n/a through 2.1.18. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Crocoblock JetWooBuilder allows PHP Local File Inclusion.This issue affects JetWooBuilder: from n/a through 2.1.18.
Title WordPress JetWooBuilder plugin <= 2.1.18 - Local File Inclusion vulnerability

Mon, 31 Mar 2025 06:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound JetWooBuilder allows PHP Local File Inclusion. This issue affects JetWooBuilder: from n/a through 2.1.18.
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:03.663Z

Reserved: 2025-03-26T09:23:06.940Z

Link: CVE-2025-31016

cve-icon Vulnrichment

Updated: 2025-03-31T14:22:39.752Z

cve-icon NVD

Status : Deferred

Published: 2025-03-31T06:15:30.650

Modified: 2026-04-23T15:27:32.903

Link: CVE-2025-31016

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T14:45:17Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')