Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23.
Published: 2025-04-11
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of filenames in the Build App Online plugin's include and require logic allows an attacker to specify a file path that is passed directly to PHP without adequate sanitization. This results in a local file inclusion flaw—it can be used to read arbitrary files on the server or execute malicious PHP code if the attacker can place a payload in the read path.

Affected Systems

Vulnerable versions are Build App Online plugin 1.0.23 and earlier, distributed by the vendor hakeemnala. The flaw exists in all releases up to and including 1.0.23. Users running any of these versions on a WordPress site are affected.

Risk and Exploitability

The CVSS score of 9.8 marks this as critical. The EPSS score is under 1%, indicating that, as of now, exploitation is not commonly observed, and the vulnerability is absent from the CISA KEV catalog. The attack vector is likely remote, accessed through web requests to a public WordPress installation, where the attacker crafts a request containing a malicious filename parameter to trigger the inclusion. Successful exploitation could allow reading sensitive files or executing code, thereby compromising confidentiality, integrity, or availability of the affected site.

Generated by OpenCVE AI on April 30, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Build App Online plugin to a version newer than 1.0.23 when a patched release becomes available.
  • If an upgrade is not immediately feasible, deactivate or remove the plugin from the WordPress installation to eliminate the vulnerable code path.
  • Implement input validation or a web application firewall rule that rejects file paths containing directory traversal sequences (e.g., '..') or non‑standard characters before they are passed to include/require to mitigate potential future inclusion vulnerabilities.

Generated by OpenCVE AI on April 30, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10774 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online allows PHP Local File Inclusion. This issue affects Build App Online: from n/a through 1.0.23.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online allows PHP Local File Inclusion. This issue affects Build App Online: from n/a through 1.0.23. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online allows PHP Local File Inclusion. This issue affects Build App Online: from n/a through 1.0.23.
Title WordPress Build App Online Plugin <= 1.0.23 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Hakeemnala Build App Online
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:24.627Z

Reserved: 2025-04-09T11:20:15.874Z

Link: CVE-2025-32577

cve-icon Vulnrichment

Updated: 2025-04-11T13:31:03.859Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:29.000

Modified: 2026-04-23T15:29:08.517

Link: CVE-2025-32577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T23:15:05Z

Weaknesses