Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Capturly Capturly capturly-optimize-your-website allows PHP Local File Inclusion.This issue affects Capturly: from n/a through <= 2.0.1.
Published: 2025-04-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Capturly WordPress plugin contains a flaw where the filename supplied to a PHP include/require statement is not properly validated, leading to a Local File Inclusion vulnerability. This weakness permits an attacker to read any file that the web server can access, potentially exposing sensitive configuration data or credentials. The issue is classified as CWE-98, which identifies improper control of the filename used for inclusion.

Affected Systems

All installations of the Capturly plugin with a version of 2.0.1 or earlier are affected. Owners of WordPress sites running these plugin versions are at risk regardless of the specific WordPress configuration.

Risk and Exploitability

The CVSS base score is 7.5, indicating a high severity, while the EPSS score of less than 1% shows that exploitation is currently considered low probability. The vulnerability is not listed in the CISA KEV catalog, meaning no publicly documented exploits are known. The likely attack vector is through crafted URLs or form inputs that manipulate the parameter used in the include/require statement, enabling an unauthenticated visitor to trigger the inclusion of local files.

Generated by OpenCVE AI on May 1, 2026 at 09:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Capturly plugin to a version newer than 2.0.1.
  • Restrict web access to the Capturly plugin directory so that only authenticated administrators can reach it, for example by configuring .htaccess rules or server‑level firewall rules.
  • Configure a web application firewall to detect and block suspicious include attempts, such as URLs containing directory traversal patterns or other path manipulation techniques.

Generated by OpenCVE AI on May 1, 2026 at 09:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12083 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Capturly Capturly allows PHP Local File Inclusion. This issue affects Capturly: from n/a through 2.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Capturly Capturly allows PHP Local File Inclusion. This issue affects Capturly: from n/a through 2.0.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Capturly Capturly capturly-optimize-your-website allows PHP Local File Inclusion.This issue affects Capturly: from n/a through <= 2.0.1.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Capturly Capturly allows PHP Local File Inclusion. This issue affects Capturly: from n/a through 2.0.1.
Title WordPress Capturly plugin <= 2.0.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.768Z

Reserved: 2025-04-16T06:22:35.637Z

Link: CVE-2025-39379

cve-icon Vulnrichment

Updated: 2025-04-24T19:53:07.320Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:31.290

Modified: 2026-04-23T15:29:26.707

Link: CVE-2025-39379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:15:13Z

Weaknesses