Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zamartz Checkout Field Visibility for WooCommerce checkout-field-visibility-for-woocommerce allows PHP Local File Inclusion.This issue affects Checkout Field Visibility for WooCommerce: from n/a through <= 1.3.0.
Published: 2025-04-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of the filename supplied to a PHP include or require statement allows an attacker to invoke a local file inclusion vulnerability in the zamartz Checkout Field Visibility for WooCommerce plugin. This flaw can let the attacker read sensitive local files or, if a PHP file is included, execute arbitrary code, compromising confidentiality, integrity, and potentially availability of the affected WordPress site.

Affected Systems

The vulnerability affects all installations of the zamartz Checkout Field Visibility for WooCommerce plugin with a version equal to or lower than 1.3.0. No specific patch version is listed, so any instance running version 1.3.0 or earlier is considered vulnerable.

Risk and Exploitability

The issue carries a CVSS score of 7.5, indicating a high severity. The EPSS score is <1%, implying that while exploitation is possible, it is considered unlikely at present, and the vulnerability is not reflected in the CISA KEV catalog. The likely attack vector is a local file inclusion path manipulation via an HTTP request to the plugin’s endpoint, which would enable an attacker to read arbitrary files and potentially execute code if a PHP file is chosen.

Generated by OpenCVE AI on June 3, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Checkout Field Visibility for WooCommerce plugin to the latest available version (1.3.1 or newer).
  • If an immediate update is not feasible, temporarily disable the plugin until a patch is applied.
  • Review any custom code that interacts with the plugin’s include functionality and ensure that all filenames are sanitized to prevent path traversal or arbitrary file inclusion.

Generated by OpenCVE AI on June 3, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12070 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zamartz Checkout Field Visibility for WooCommerce allows PHP Local File Inclusion. This issue affects Checkout Field Visibility for WooCommerce: from n/a through 1.2.3.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zamartz Checkout Field Visibility for WooCommerce allows PHP Local File Inclusion. This issue affects Checkout Field Visibility for WooCommerce: from n/a through 1.2.3. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zamartz Checkout Field Visibility for WooCommerce checkout-field-visibility-for-woocommerce allows PHP Local File Inclusion.This issue affects Checkout Field Visibility for WooCommerce: from n/a through <= 1.3.0.
Title WordPress Checkout Field Visibility for WooCommerce plugin <= 1.2.3 - Local File Inclusion vulnerability WordPress Checkout Field Visibility for WooCommerce plugin <= 1.3.0 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zamartz Checkout Field Visibility for WooCommerce allows PHP Local File Inclusion. This issue affects Checkout Field Visibility for WooCommerce: from n/a through 1.2.3.
Title WordPress Checkout Field Visibility for WooCommerce plugin <= 1.2.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:54.966Z

Reserved: 2025-04-16T06:22:42.846Z

Link: CVE-2025-39391

cve-icon Vulnrichment

Updated: 2025-04-24T19:53:21.196Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:32.473

Modified: 2026-04-29T10:16:46.680

Link: CVE-2025-39391

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T14:45:20Z

Weaknesses