Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Földesi, Mihály Széchenyi 2020 Logo szechenyi-2020-logo allows PHP Local File Inclusion.This issue affects Széchenyi 2020 Logo: from n/a through <= 1.1.
Published: 2025-04-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of filenames in a PHP "include/require" statement allows an attacker to read or execute files from the local filesystem. The vulnerability, classified under CWE‑98, can expose sensitive server files such as configuration or credentials, and in some cases may enable remote code execution if the attacker can supply a PHP file. The impact is confined to the file system of the hosting server and can compromise confidentiality, integrity, or availability for the affected site.

Affected Systems

WordPress sites that have installed the Széchenyi 2020 Logo plugin up to and including version 1.1 are affected. Users should check that no older, patched versions are in use.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score is reported as less than 1%, suggesting that exploitation attempts are currently rare. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a local file inclusion via a plugin parameter that accepts file paths; exploitation would require the attacker to supply a crafted value to the plugin’s filename variable, enabling access to arbitrary files on the server. Because the plugin does not enforce strict path validation or whitelist checks, the risk of successful exploitation is moderate but significant when the plugin is exposed to unauthenticated users or administrative input.

Generated by OpenCVE AI on April 30, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Széchenyi 2020 Logo plugin to a version newer than 1.1 (e.g., 1.2 or later) where the include logic has been fixed.
  • If an upgrade cannot be performed immediately, edit the plugin’s PHP files to eliminate any `include` or `require` statements that use user‑supplied input; replace them with hard‑coded safe paths or a validated whitelist of allowed files.
  • Implement a web‑application firewall rule that blocks directory‑traversal patterns such as "../" or URL‑encoded equivalents when targeting the plugin’s directory, thereby preventing malicious file path manipulation.

Generated by OpenCVE AI on April 30, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11583 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Földesi, Mihály Széchenyi 2020 Logo allows PHP Local File Inclusion. This issue affects Széchenyi 2020 Logo: from n/a through 1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Földesi, Mihály Széchenyi 2020 Logo allows PHP Local File Inclusion. This issue affects Széchenyi 2020 Logo: from n/a through 1.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Földesi, Mihály Széchenyi 2020 Logo szechenyi-2020-logo allows PHP Local File Inclusion.This issue affects Széchenyi 2020 Logo: from n/a through <= 1.1.
Title WordPress Széchenyi 2020 Logo <= 1.1 - Local File Inclusion Vulnerability WordPress Széchenyi 2020 Logo <= 1.1 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 17 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Földesi, Mihály Széchenyi 2020 Logo allows PHP Local File Inclusion. This issue affects Széchenyi 2020 Logo: from n/a through 1.1.
Title WordPress Széchenyi 2020 Logo <= 1.1 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:31.312Z

Reserved: 2025-04-16T06:23:15.163Z

Link: CVE-2025-39429

cve-icon Vulnrichment

Updated: 2025-04-17T15:50:15.407Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:53.033

Modified: 2026-04-23T15:29:32.267

Link: CVE-2025-39429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:30:02Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')