Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON eventon-lite allows PHP Local File Inclusion.This issue affects EventON: from n/a through <= 2.4.
Published: 2025-04-11
Score: 8.8 High
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an Improper Control of Filename for Include/Require Statement that lets an attacker supply a file path to PHP’s include/require in the Ashan Perera EventON eventon‑lite WordPress plugin. This allows reading of files on the server and, if the attacker can supply content, the potential to execute arbitrary code. The result is a compromise of confidentiality and integrity, and when code execution is achieved, a full server compromise.

Affected Systems

WordPress sites that are running the EventON eventon‑lite plugin version 2.4 or earlier, as distributed by Ashan Perera.

Risk and Exploitability

The CVSS score of 8.8 classifies the vulnerability as high risk. The EPSS score of 2% indicates a moderate likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Based on the description it is inferred that an attacker can trigger the flaw by providing a malicious filename through a web request, suggesting that the attack vector is web‑based and could be unauthenticated or limited to users with access to the plugin’s configuration.

Generated by OpenCVE AI on May 1, 2026 at 10:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the EventON eventon‑lite plugin to the latest available version that is newer than 2.4 to remove the flawed include logic.
  • If an update is not possible, disable or remove the plugin components that perform unfiltered includes, or isolate that code path by requiring strict validation of file names.
  • Restrict file system permissions on the WordPress installation so that the web server process cannot read sensitive files such as /etc/passwd, wp-config.php, or other configuration files.

Generated by OpenCVE AI on May 1, 2026 at 10:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10757 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON allows PHP Local File Inclusion. This issue affects EventON: from n/a through 2.3.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON allows PHP Local File Inclusion. This issue affects EventON: from n/a through 2.3.2. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON eventon-lite allows PHP Local File Inclusion.This issue affects EventON: from n/a through <= 2.4.
Title WordPress EventON plugin <= 2.3.2 - Local File Inclusion vulnerability WordPress EventON plugin <= 2.4 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 11 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON allows PHP Local File Inclusion. This issue affects EventON: from n/a through 2.3.2.
Title WordPress EventON plugin <= 2.3.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:06:30.372Z

Reserved: 2025-04-09T11:20:35.409Z

Link: CVE-2025-32614

cve-icon Vulnrichment

Updated: 2025-04-11T14:56:13.640Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:32.497

Modified: 2026-04-23T15:29:12.830

Link: CVE-2025-32614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:30:15Z

Weaknesses