Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wipeoutmedia CSS & JavaScript Toolbox css-javascript-toolbox allows PHP Local File Inclusion.This issue affects CSS & JavaScript Toolbox: from n/a through < 12.0.3.
Published: 2025-08-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper handling of filenames in the CSS & JavaScript Toolbox plugin’s include/require statements allows an attacker to include local files on the web server. The vulnerability could enable the attacker to read sensitive configuration files, user data, or potentially execute arbitrary code if a local file containing PHP code is included. The weakness is classified as a Local File Inclusion, which directly compromises confidentiality and integrity of the affected system.

Affected Systems

The flaw is present in all versions of the CSS & JavaScript Toolbox plugin released by wipeoutmedia prior to 12.0.3. Any site running the plugin with a version less than 12.0.3 is potentially affected. There is no evidence that later versions are impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score of <1% suggests that exploitation is currently uncommon, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is Local File Inclusion, whereby an attacker who can supply a crafted request path may trigger the inclusion of arbitrary local files.

Generated by OpenCVE AI on April 30, 2026 at 16:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CSS & JavaScript Toolbox plugin to version 12.0.3 or later to remove the vulnerable include logic.
  • If an upgrade is not immediately possible, disable the plugin or remove it entirely from the site to prevent any use of the vulnerable code paths.
  • Review the plugin’s source for any remaining unfiltered include statements and ensure that user‑supplied file paths are strictly validated against an allow‑list before inclusion.

Generated by OpenCVE AI on April 30, 2026 at 16:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24726 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wipeoutmedia CSS & JavaScript Toolbox allows PHP Local File Inclusion. This issue affects CSS & JavaScript Toolbox: from n/a through n/a.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wipeoutmedia CSS & JavaScript Toolbox allows PHP Local File Inclusion. This issue affects CSS & JavaScript Toolbox: from n/a through n/a. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wipeoutmedia CSS & JavaScript Toolbox css-javascript-toolbox allows PHP Local File Inclusion.This issue affects CSS & JavaScript Toolbox: from n/a through < 12.0.3.
Title WordPress CSS & JavaScript Toolbox < 12.0.3 - Local File Inclusion Vulnerability WordPress CSS & JavaScript Toolbox plugin < 12.0.3 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wipeoutmedia
Wipeoutmedia css & Javascript Toolbox
Wordpress
Wordpress wordpress
Vendors & Products Wipeoutmedia
Wipeoutmedia css & Javascript Toolbox
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wipeoutmedia CSS & JavaScript Toolbox allows PHP Local File Inclusion. This issue affects CSS & JavaScript Toolbox: from n/a through n/a.
Title WordPress CSS & JavaScript Toolbox < 12.0.3 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wipeoutmedia Css & Javascript Toolbox
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.126Z

Reserved: 2025-04-16T06:27:39.093Z

Link: CVE-2025-3703

cve-icon Vulnrichment

Updated: 2025-08-14T14:22:38.732Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:34.317

Modified: 2026-04-23T15:29:52.607

Link: CVE-2025-3703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:30:16Z

Weaknesses