Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Ultimate Bootstrap Elements for Elementor ultimate-bootstrap-elements-for-elementor allows PHP Local File Inclusion.This issue affects Ultimate Bootstrap Elements for Elementor: from n/a through <= 1.4.9.
Published: 2025-04-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Ultimate Bootstrap Elements for Elementor plugin contains an improper check of filenames used in PHP include/require statements, which is a CWE‑98 flaw. This vulnerability enables an attacker who can manipulate plugin input to specify an arbitrary local file, causing the PHP interpreter to include that file. If the included file contains PHP code or is executed in a context that interprets PHP, the attacker could gain the ability to run malicious code on the server. In the absence of file permission restrictions, the plugin may also expose sensitive configuration files or other data that belong to the site.

Affected Systems

WordPress installations that have the Ultimate Bootstrap Elements for Elementor plugin installed with any release from its inception up to and including version 1.4.9 are affected. No update or patch version is specified in the data, but the flaw applies to all these releases.

Risk and Exploitability

The CVSS score of 8.1 marks the vulnerability as high severity, while an EPSS score of 0.0176% indicates that exploitation in the wild is extremely unlikely. The flaw is listed as not present in the CISA KEV catalog, so it has not yet been reported as a widely exploited vulnerability. Exploitation would typically involve sending a crafted request that supplies a path to an arbitrary local file; this can be achieved via plugin settings, query parameters, or other input points that the plugin passes to the include/require call.

Generated by OpenCVE AI on May 20, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ultimate Bootstrap Elements for Elementor plugin to the earliest patched release that eliminates the unsafe include logic (consult the vendor’s repository or changelog for a fixed version).
  • If a patched version is unavailable, disable or uninstall the plugin to remove the vulnerable code path entirely.
  • Apply additional server‑side hardening such as restricting file permissions on the webroot and tightening PHP’s include_path to the plugin directory only, which limits the directories that can be read or included by the plugin’s include statements.

Generated by OpenCVE AI on May 20, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10739 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Ultimate Bootstrap Elements for Elementor allows PHP Local File Inclusion. This issue affects Ultimate Bootstrap Elements for Elementor: from n/a through 1.4.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Ultimate Bootstrap Elements for Elementor allows PHP Local File Inclusion. This issue affects Ultimate Bootstrap Elements for Elementor: from n/a through 1.4.9. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Ultimate Bootstrap Elements for Elementor ultimate-bootstrap-elements-for-elementor allows PHP Local File Inclusion.This issue affects Ultimate Bootstrap Elements for Elementor: from n/a through <= 1.4.9.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Ultimate Bootstrap Elements for Elementor allows PHP Local File Inclusion. This issue affects Ultimate Bootstrap Elements for Elementor: from n/a through 1.4.9.
Title WordPress Ultimate Bootstrap Elements for Elementor plugin <= 1.4.9 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:27.863Z

Reserved: 2025-04-09T11:21:18.307Z

Link: CVE-2025-32672

cve-icon Vulnrichment

Updated: 2025-04-11T14:47:44.054Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:35.727

Modified: 2026-06-17T09:12:23.883

Link: CVE-2025-32672

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T16:15:16Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')