Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in InfornWeb News & Blog Designer Pack blog-designer-pack allows PHP Local File Inclusion.This issue affects News & Blog Designer Pack: from n/a through <= 4.0.
Published: 2025-04-01
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filename for an include/require statement in PHP, allowing Local File Inclusion. An attacker who can influence the include path may read arbitrary local files or execute files, leading to disclosure of sensitive information or remote code execution. The weakness is identified as CWE-98.

Affected Systems

The affected product is InfornWeb News & Blog Designer Pack, a WordPress plugin. Versions from the initial release up through 4.0 are impacted. Users running any affected version should verify their installed plugin version.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, reflecting the potential for significant impact. The EPSS score of less than 1% shows a low estimated likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via a web request that manipulates the include parameter, so an attacker needs either local access or an ability to craft a request against the plugin. Prompt patching is recommended to mitigate the risk.

Generated by OpenCVE AI on May 1, 2026 at 01:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 4.0.
  • Remove or disable the plugin if an upgrade cannot be applied immediately.
  • Enforce a whitelist of allowed filenames for the plugin’s include parameters or reject any input containing directory traversal sequences.
  • Configure PHP to disable allow_url_include and enable strict file inclusion checks.

Generated by OpenCVE AI on May 1, 2026 at 01:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9478 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in InfornWeb News & Blog Designer Pack allows PHP Local File Inclusion. This issue affects News & Blog Designer Pack: from n/a through 4.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in InfornWeb News & Blog Designer Pack allows PHP Local File Inclusion. This issue affects News & Blog Designer Pack: from n/a through 4.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in InfornWeb News & Blog Designer Pack blog-designer-pack allows PHP Local File Inclusion.This issue affects News & Blog Designer Pack: from n/a through <= 4.0.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 02 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in InfornWeb News & Blog Designer Pack allows PHP Local File Inclusion. This issue affects News & Blog Designer Pack: from n/a through 4.0.
Title WordPress News & Blog Designer Pack plugin <= 4.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:04.997Z

Reserved: 2025-03-26T09:25:58.784Z

Link: CVE-2025-31082

cve-icon Vulnrichment

Updated: 2025-04-02T13:32:35.966Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T21:15:46.720

Modified: 2026-04-23T15:27:40.313

Link: CVE-2025-31082

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:30:05Z

Weaknesses