Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Stylemix Motors motors-car-dealership-classified-listings allows PHP Local File Inclusion.This issue affects Motors: from n/a through <= 1.4.71.
Published: 2025-04-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CWE‑98 flaw that allows an attacker to manipulate the filename used in a PHP include/require statement. This leads to Local File Inclusion, enabling the attacker to read arbitrary files on the server and, if a PHP file is included, execute arbitrary code. The consequence is a full compromise of data confidentiality, integrity, and availability within the WordPress site.

Affected Systems

The vulnerability affects the Stylemix Motors "motors-car-dealership-classified-listings" plugin on WordPress, for all versions up to and including 1.4.71. No specific operating systems or hosting environments are listed, so any environment running the affected plugin is susceptible.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity rating, while the EPSS score of less than 1% suggests that publicly available exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. It is inferred that the attack vector involves unauthenticated or low‑privileged users visiting crafted URLs or submitting specially‑formed requests that influence the include path. If triggered, an attacker could gain arbitrary code execution on the server.

Generated by OpenCVE AI on April 30, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Motors plugin to a version newer than 1.4.71 or apply any official patch released by Stylemix.
  • Remove or disable any plugin functionality that accepts user‑supplied file names for inclusion; implement strict whitelisting of allowed include paths.
  • Harden the PHP runtime by setting allow_url_include to Off and disabling allow_url_fopen, and ensure file permissions deny read of sensitive server files.
  • Fortify the web application with a firewall rule that blocks path traversal patterns and other suspicious include attempts.

Generated by OpenCVE AI on April 30, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10737 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Stylemix Motors allows PHP Local File Inclusion. This issue affects Motors: from n/a through 1.4.65.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Stylemix Motors allows PHP Local File Inclusion. This issue affects Motors: from n/a through 1.4.65. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Stylemix Motors motors-car-dealership-classified-listings allows PHP Local File Inclusion.This issue affects Motors: from n/a through <= 1.4.71.
Title WordPress Motors plugin <= 1.4.65 - Local File Inclusion vulnerability WordPress Motors plugin <= 1.4.71 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Stylemix Motors allows PHP Local File Inclusion. This issue affects Motors: from n/a through 1.4.65.
Title WordPress Motors plugin <= 1.4.65 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:26.535Z

Reserved: 2025-04-09T11:21:04.031Z

Link: CVE-2025-32654

cve-icon Vulnrichment

Updated: 2025-04-11T13:31:49.509Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:34.707

Modified: 2026-04-23T15:29:17.387

Link: CVE-2025-32654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T23:00:04Z

Weaknesses