Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashraful Sarkar Naiem License For Envato license-envato allows PHP Local File Inclusion.This issue affects License For Envato: from n/a through <= 1.0.0.
Published: 2025-04-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The License For Envato plugin contains an improper control of the filename used in a PHP include/require statement, enabling local file inclusion. This vulnerability allows an attacker to read arbitrary files from the server, and if the attacker can supply a file containing executable PHP code, it may lead to remote code execution. The weakness is categorized as CWE‑98.

Affected Systems

The vulnerability affects the WordPress plugin License For Envato by Ashraful Sarkar Naiem, versions up to and including 1.0.0. No specific sub-versions beyond 1.0.0 are impacted; all earlier releases are also affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a medium‑to‑high severity. The EPSS score of <1% indicates a low but non‑zero probability of exploitation at the moment. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted HTTP request that supplies a filename parameter to the plugin’s inclusion logic, enabling the attacker to read sensitive system files or execute malicious code if the web server allows PHP code execution from arbitrary files. No external conditions are required beyond the presence of the vulnerable plugin on a WordPress site.

Generated by OpenCVE AI on June 3, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If an updated version of the License For Envato plugin that resolves the file inclusion issue is available, upgrade the plugin immediately.
  • If no update is available, disable or uninstall the plugin to eliminate the vulnerable code path.
  • Configure the web server to restrict file read permissions for sensitive directories and limit PHP’s include path so that only trusted directories can be read by the application.

Generated by OpenCVE AI on June 3, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12084 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashraful Sarkar Naiem License For Envato allows PHP Local File Inclusion. This issue affects License For Envato: from n/a through 1.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashraful Sarkar Naiem License For Envato allows PHP Local File Inclusion. This issue affects License For Envato: from n/a through 1.0.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashraful Sarkar Naiem License For Envato license-envato allows PHP Local File Inclusion.This issue affects License For Envato: from n/a through <= 1.0.0.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashraful Sarkar Naiem License For Envato allows PHP Local File Inclusion. This issue affects License For Envato: from n/a through 1.0.0.
Title WordPress License For Envato plugin <= 1.0.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:30.199Z

Reserved: 2025-04-16T06:22:51.799Z

Link: CVE-2025-39399

cve-icon Vulnrichment

Updated: 2025-04-24T19:53:23.996Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:32.743

Modified: 2026-04-23T15:29:28.787

Link: CVE-2025-39399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T14:45:20Z

Weaknesses