Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in mojoomla WPAMS apartment-management allows PHP Local File Inclusion.This issue affects WPAMS: from n/a through <= 44.0.
Published: 2025-05-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of filenames in the WPAMS apartment-management plugin allows a local file inclusion that can be exploited by an authenticated user to load arbitrary PHP files. The attacker can execute code in the context of the web application, resulting in privilege escalation. This flaw is identified as CWE‑98 and scored with a CVSS of 9.8.

Affected Systems

All installations of the WPAMS plugin version 44.0 or earlier. The issue originates from the plugin's inclusion logic and affects every instance of the plugin from its earliest release up to the stated maximum version.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical level of severity. The EPSS score is less than 1 percent, suggesting a low current exploitation probability but the vulnerability remains severe. Because it is not listed in CISA KEV, no known exploitation has been reported, but the local file inclusion attack could be executed by users with sufficient plugin permissions. The likely attack path is an authenticated administrator exploiting the plugin’s file inclusion functionality to reference arbitrary system files, directing the server to include malicious code.

Generated by OpenCVE AI on April 30, 2026 at 19:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPAMS to the latest version that addresses the local file inclusion flaw, ensuring the fixed code is deployed.
  • Restrict file inclusion endpoints and enforce strict filename validation, or temporarily disable the plugin if not needed, to eliminate the arbitrary file inclusion vector.
  • Implement a web application firewall or file integrity monitoring to detect anomalous file inclusion attempts and quickly remediate them.

Generated by OpenCVE AI on April 30, 2026 at 19:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15763 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in mojoomla WPAMS allows PHP Local File Inclusion.This issue affects WPAMS: from n/a through 44.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in mojoomla WPAMS allows PHP Local File Inclusion.This issue affects WPAMS: from n/a through 44.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in mojoomla WPAMS apartment-management allows PHP Local File Inclusion.This issue affects WPAMS: from n/a through <= 44.0.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in mojoomla WPAMS allows PHP Local File Inclusion.This issue affects WPAMS: from n/a through 44.0.
Title WordPress WPAMS plugin <= 44.0 - Local File Inclusion to Privilege Escalation vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:30.354Z

Reserved: 2025-04-16T06:22:51.799Z

Link: CVE-2025-39406

cve-icon Vulnrichment

Updated: 2025-05-19T21:13:32.656Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T19:15:48.910

Modified: 2026-04-23T15:29:29.637

Link: CVE-2025-39406

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:45:26Z

Weaknesses