Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FantasticPlugins SUMO Reward Points rewardsystem allows PHP Local File Inclusion.This issue affects SUMO Reward Points: from n/a through <= 30.7.0.
Published: 2025-05-19
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper filename validation flaw in FantasticPlugins SUMO Reward Points allows an attacker to control the file path used in an include/require statement. This Local File Inclusion vulnerability can expose sensitive files such as configuration data or, if a remote file upload is possible, enable arbitrary PHP code execution. The flaw is classified as CWE-98 and represents a serious compromise of confidentiality and potentially integrity.

Affected Systems

WordPress users running the SUMO Reward Points plugin from any version up to and including 30.7.0 are affected. The vulnerability applies to all installations of the plugin that have not been updated past version 30.7.0.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity. Although the EPSS score is below 1%, suggesting a low current exploitation probability, the presence of this flaw means a local or remote attacker could exploit it if the plugin processes untrusted input. The vulnerability is not yet listed in the CISA KEV catalog, but any instance with the affected plugin version should be treated with high urgency.

Generated by OpenCVE AI on April 30, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SUMO Reward Points plugin to the latest version where the LFI issue is fixed.
  • If an upgrade is not immediately possible, contact FantasticPlugins to obtain a temporary patch or errata and restrict the plugin’s inclusion paths as far as possible.
  • Configure a web application firewall to block requests containing suspicious or relative paths that target the plugin’s file inclusion logic.
  • Monitor PHP error logs and web traffic for attempts to access files such as /etc/passwd or upload malicious scripts to confirm exploitation attempts.

Generated by OpenCVE AI on April 30, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15789 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FantasticPlugins SUMO Reward Points allows PHP Local File Inclusion.This issue affects SUMO Reward Points: from n/a through 30.7.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FantasticPlugins SUMO Reward Points allows PHP Local File Inclusion.This issue affects SUMO Reward Points: from n/a through 30.7.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FantasticPlugins SUMO Reward Points rewardsystem allows PHP Local File Inclusion.This issue affects SUMO Reward Points: from n/a through <= 30.7.0.
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 09 Jun 2025 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Fantasticplugins
Fantasticplugins sumo Reward Points
CPEs cpe:2.3:a:fantasticplugins:sumo_reward_points:*:*:*:*:*:*:*:*
Vendors & Products Fantasticplugins
Fantasticplugins sumo Reward Points

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 20:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FantasticPlugins SUMO Reward Points allows PHP Local File Inclusion.This issue affects SUMO Reward Points: from n/a through 30.7.0.
Title WordPress SUMO Reward Points plugin <= 30.7.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Fantasticplugins Sumo Reward Points
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.202Z

Reserved: 2025-04-14T11:30:45.183Z

Link: CVE-2025-32925

cve-icon Vulnrichment

Updated: 2025-05-19T21:10:39.893Z

cve-icon NVD

Status : Modified

Published: 2025-05-19T20:15:22.070

Modified: 2026-04-23T15:29:22.647

Link: CVE-2025-32925

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:30:26Z

Weaknesses