Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Chop Chop Pop-Up Chop Chop pop-up allows PHP Local File Inclusion.This issue affects Pop-Up Chop Chop: from n/a through <= 2.1.7.
Published: 2025-03-28
Score: 7.5 High
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of the filename used in a PHP include/require statement, allowing an attacker to request arbitrary local files through the Chop Chop Pop‑Up Chop Chop plugin. If the attacker supplies a path that points to a file containing executable PHP code, the server may include that code, potentially allowing the execution of arbitrary PHP scripts on the server, which may affect the site’s confidentiality, integrity, and availability.

Affected Systems

Chop Chop Pop‑Up Chop Chop plugin, any version up to and including 2.1.7, which is actively released to WordPress sites.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of 1% suggests a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but its impact could be severe if exploited. The likely attack vector is through a web‑based request that triggers the vulnerable include, requiring only local file inclusion payloads from the attacker’s side.

Generated by OpenCVE AI on May 12, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Chop Chop Pop‑Up Chop Chop plugin to the latest version newer than 2.1.7, ensuring the LFI fix is applied.
  • If a newer version is not available and the plugin is not critical for site functionality, uninstall or disable the plugin entirely to eliminate the risk.
  • After removal or update, perform a security scan of the webroot to ensure no vulnerable inclusion code remains, and monitor the site for any anomalous file inclusion attempts.

Generated by OpenCVE AI on May 12, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8602 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Chop Chop Pop-Up Chop Chop allows PHP Local File Inclusion. This issue affects Pop-Up Chop Chop: from n/a through 2.1.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Chop Chop Pop-Up Chop Chop allows PHP Local File Inclusion. This issue affects Pop-Up Chop Chop: from n/a through 2.1.7. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Chop Chop Pop-Up Chop Chop pop-up allows PHP Local File Inclusion.This issue affects Pop-Up Chop Chop: from n/a through <= 2.1.7.
Title WordPress Pop-Up Chop Chop <= 2.1.7 - Local File Inclusion Vulnerability WordPress Pop-Up Chop Chop plugin <= 2.1.7 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 28 Mar 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 28 Mar 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Chop Chop Pop-Up Chop Chop allows PHP Local File Inclusion. This issue affects Pop-Up Chop Chop: from n/a through 2.1.7.
Title WordPress Pop-Up Chop Chop <= 2.1.7 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Chop-chop Pop-up Chop Chop
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:07.021Z

Reserved: 2025-03-28T11:00:15.485Z

Link: CVE-2025-31432

cve-icon Vulnrichment

Updated: 2025-03-28T12:24:16.822Z

cve-icon NVD

Status : Deferred

Published: 2025-03-28T12:15:15.720

Modified: 2026-04-23T15:27:48.957

Link: CVE-2025-31432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T15:15:18Z

Weaknesses