Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Crocoblock JetReviews jet-reviews allows PHP Local File Inclusion.This issue affects JetReviews: from n/a through <= 2.3.6.
Published: 2025-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The JetReviews WordPress plugin in versions up to 2.3.6 includes an improper control of filename issue that allows a local file inclusion vulnerability. An attacker may be able to manipulate the include/require path in PHP to read sensitive files or execute arbitrary code if the included file contains executable code. This weakness corresponds to CWE‑98 and can compromise the confidentiality and integrity of the affected system.

Affected Systems

The vulnerability affects the JetReviews plugin from Crocoblock, versions n/a through 2.3.6. Any WordPress site that has a JetReviews installation at or below this version is potentially exposed.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests that exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated or authenticated user submitting a specially crafted request that causes the plugin to include a local file. Successful exploitation could allow read access to restricted files or remote code execution if the included local file contains PHP code.

Generated by OpenCVE AI on May 1, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetReviews to version 2.3.7 or later to remove the vulnerable include logic.
  • If an immediate upgrade is not possible, restrict the use of include/require statements that accept user input by disabling or removing the feature that triggers the vulnerability.
  • Implement input validation by allowing only whitelisted filenames or paths for include operations, and configure the web server to prevent PHP from including arbitrary local files.

Generated by OpenCVE AI on May 1, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15750 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Crocoblock JetReviews allows PHP Local File Inclusion.This issue affects JetReviews: from n/a through 2.3.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Crocoblock JetReviews allows PHP Local File Inclusion.This issue affects JetReviews: from n/a through 2.3.6. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Crocoblock JetReviews jet-reviews allows PHP Local File Inclusion.This issue affects JetReviews: from n/a through <= 2.3.6.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 17:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Crocoblock JetReviews allows PHP Local File Inclusion.This issue affects JetReviews: from n/a through 2.3.6.
Title WordPress JetReviews plugin <= 2.3.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:30.327Z

Reserved: 2025-04-16T06:22:42.847Z

Link: CVE-2025-39396

cve-icon Vulnrichment

Updated: 2025-05-19T21:14:55.635Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T18:15:28.863

Modified: 2026-04-23T15:29:28.427

Link: CVE-2025-39396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:30:12Z

Weaknesses