Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Radius Blocks radius-blocks allows PHP Local File Inclusion.This issue affects Radius Blocks: from n/a through <= 2.2.1.
Published: 2025-04-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The RadiusBlocks plugin for WordPress contains an improper control of filename for include/require statements, identified as CWE-98. This flaw enables an attacker to supply a path to include arbitrary local files in the server’s filesystem. If a malicious file contains executable code, the attacker may obtain remote code execution or disclose sensitive data. The description states the vulnerability is a PHP Local File Inclusion.

Affected Systems

The affected product is the RadiusBlocks plugin from RadiusTheme. All versions through 2.2.1 are vulnerable; the analysis does not list a fixed version, so any installed release up to and including 2.2.1 is impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is reported as less than 1%, suggesting current exploitation probability is very low. The vulnerability is not in the CISA KEV catalog. Attack appears to require a crafted HTTP request to the plugin’s include endpoint, making it a local file inclusion vector that could be triggered from a remote user if the path is not properly validated. Given the low EPSS, exploitation is unlikely but remains possible without an updated plugin.

Generated by OpenCVE AI on May 1, 2026 at 11:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the RadiusBlocks plugin to a version newer than 2.2.1, if a patched release is available.
  • If an upgrade is not feasible, disable the plugin to eliminate the inclusion functionality until a fix is released.
  • Configure the web server or a firewall to block direct requests to the plugin’s include endpoint or to the directories containing plugin files, thereby reducing the attack surface for LFI attempts.

Generated by OpenCVE AI on May 1, 2026 at 11:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9859 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Radius Blocks allows PHP Local File Inclusion. This issue affects Radius Blocks: from n/a through 2.2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Radius Blocks allows PHP Local File Inclusion. This issue affects Radius Blocks: from n/a through 2.2.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Radius Blocks radius-blocks allows PHP Local File Inclusion.This issue affects Radius Blocks: from n/a through <= 2.2.1.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 04 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Radius Blocks allows PHP Local File Inclusion. This issue affects Radius Blocks: from n/a through 2.2.1.
Title WordPress Radius Blocks plugin <= 2.2.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:17.965Z

Reserved: 2025-04-04T10:00:58.028Z

Link: CVE-2025-32159

cve-icon Vulnrichment

Updated: 2025-04-04T19:53:11.353Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:24.457

Modified: 2026-04-23T15:28:40.143

Link: CVE-2025-32159

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:15:15Z

Weaknesses