Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Capturly Capturly capturly-optimize-your-website allows PHP Local File Inclusion.This issue affects Capturly: from n/a through <= 2.0.1.
Published: 2025-04-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Capturly WordPress plugin contains a flaw where the filename given to a PHP include/require call is not validated, allowing an attacker to cause the server to include arbitrary local files. By triggering this vulnerability, an unauthenticated visitor can read files that the web server process can access, potentially leaking configuration data, credentials or other sensitive information. This weakness aligns with CWE‑98, which describes improper control of the filename used for file inclusion.

Affected Systems

All WordPress sites that have the Capturly plugin version 2.0.1 or earlier are affected. The vulnerability applies to every installation because the flaw exists in the plugin code independent of the hosting environment, and no additional configuration changes are required for the issue to be exploitable.

Risk and Exploitability

The CVSS base score of 7.5 indicates high severity, while an EPSS score of <1% shows that exploitation is currently considered low probability. The vulnerability is not listed in the CISA KEV catalog, meaning no publicly documented exploits are known at present. The likely attack vector is through crafted URLs or form inputs that manipulate the parameter feeding the include/require statement, enabling an unauthenticated visitor to trigger the inclusion of local files.

Generated by OpenCVE AI on June 4, 2026 at 15:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Capturly plugin to the latest version, which includes code that validates the filename and mitigates the CWE‑98 flaw.
  • If the plugin must remain on an older version, configure a Web Application Firewall or server rule that blocks requests containing directory‑traversal sequences or arbitrary file paths in the include parameter, thereby defending against the improper filename control attack.
  • Limit web access to the plugin’s directory by setting .htaccess or firewall rules so that only authorized administrators can reach the plugin files, reducing the potential impact of an LFI exploit.

Generated by OpenCVE AI on June 4, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12083 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Capturly Capturly allows PHP Local File Inclusion. This issue affects Capturly: from n/a through 2.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Capturly Capturly allows PHP Local File Inclusion. This issue affects Capturly: from n/a through 2.0.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Capturly Capturly capturly-optimize-your-website allows PHP Local File Inclusion.This issue affects Capturly: from n/a through <= 2.0.1.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Capturly Capturly allows PHP Local File Inclusion. This issue affects Capturly: from n/a through 2.0.1.
Title WordPress Capturly plugin <= 2.0.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.768Z

Reserved: 2025-04-16T06:22:35.637Z

Link: CVE-2025-39379

cve-icon Vulnrichment

Updated: 2025-04-24T19:53:07.320Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:31.290

Modified: 2026-04-23T15:29:26.707

Link: CVE-2025-39379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T15:45:17Z

Weaknesses