Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON eventon-lite.This issue affects EventON: from n/a through <= 2.4.1.
Published: 2025-04-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the plugin’s handling of filenames used in PHP include or require statements, constituting a CWE‑98 vulnerability. This improper control allows an attacker to force the application to include arbitrary files. Such inclusion can lead to execution of malicious code, data exposure or tampering, and potentially full system compromise if the include can pull in remote code.

Affected Systems

WordPress sites that use the Ashan Perera EventON eventon-lite plugin, versions up to and including 2.4.1. Any site installing or running these plugin releases is affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk. The EPSS score of <1% shows a low probability of widespread exploitation at present, and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that the likely attack vector involves crafted requests that manipulate the filename parameter, which may be supplied via URLs or form inputs. Successful exploitation would require that the attacker can reach the target site and influence the include path—conditions that are commonly satisfied in public web applications.

Generated by OpenCVE AI on May 2, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the EventON eventon-lite plugin to a version newer than 2.4.1 where the inclusion is properly validated or removed.
  • If an upgrade is not immediately possible, restrict the allowed include paths by hard‑coding a whitelist or removing the vulnerable include logic from the plugin code.
  • Configure the web server or WAF to block attempts to pass arbitrary path values in requests that reach the plugin’s inclusion point, preventing the inclusion of unintended files.

Generated by OpenCVE AI on May 2, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10477 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON. This issue affects EventON: from n/a through 2.3.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON. This issue affects EventON: from n/a through 2.3.2. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON eventon-lite.This issue affects EventON: from n/a through <= 2.4.1.
Title WordPress EventON plugin <= 2.3.2 - Local File Inclusion vulnerability WordPress EventON plugin <= 2.4.1 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 10 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 10 Apr 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON. This issue affects EventON: from n/a through 2.3.2.
Title WordPress EventON plugin <= 2.3.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:17.923Z

Reserved: 2025-04-04T10:00:58.028Z

Link: CVE-2025-32160

cve-icon Vulnrichment

Updated: 2025-04-10T14:22:50.478Z

cve-icon NVD

Status : Deferred

Published: 2025-04-10T08:15:16.863

Modified: 2026-04-23T15:28:40.253

Link: CVE-2025-32160

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:30:25Z

Weaknesses