Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nawawi Jamili Docket Cache docket-cache allows PHP Local File Inclusion.This issue affects Docket Cache: from n/a through <= 24.07.02.
Published: 2025-04-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper control of the filename for the include/require statement in the PHP code of the Docket Cache plugin allows an attacker to specify arbitrary files on the local system for inclusion. This flaw can lead to execution of unintended code if the included files contain malicious PHP, resulting in potential data disclosure or full compromise of the site. The vulnerability is classified as CWE‑98 and carries a CVSS score of 7.5.

Affected Systems

The vulnerability affects the Nawawi Jamili Docket Cache plugin, specifically versions up through 24.07.02. Any installation of this plugin that has not been updated to a version newer than 24.07.02 is impacted.

Risk and Exploitability

The vulnerability has a moderate to high severity (CVSS 7.5) and an EPSS score of less than 1%, indicating a low but non‑zero likelihood of exploitation. It is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through a crafted input that causes the plugin to include a local file, such as a path traversal or a specially crafted query to a plugin endpoint.

Generated by OpenCVE AI on April 30, 2026 at 22:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Docket Cache update (version newer than 24.07.02).
  • If an update cannot be applied immediately, disable the plugin so the vulnerable code path is not reachable.
  • Ensure that the web server and PHP configuration disallow file inclusion from user-supplied paths or enforce a strict whitelist of permitted include files.

Generated by OpenCVE AI on April 30, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11785 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nawawi Jamili Docket Cache allows PHP Local File Inclusion. This issue affects Docket Cache: from n/a through 24.07.02.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nawawi Jamili Docket Cache allows PHP Local File Inclusion. This issue affects Docket Cache: from n/a through 24.07.02. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nawawi Jamili Docket Cache docket-cache allows PHP Local File Inclusion.This issue affects Docket Cache: from n/a through <= 24.07.02.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nawawi Jamili Docket Cache allows PHP Local File Inclusion. This issue affects Docket Cache: from n/a through 24.07.02.
Title WordPress Docket Cache plugin <= 24.07.02 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:32.010Z

Reserved: 2025-04-16T06:23:36.339Z

Link: CVE-2025-39461

cve-icon Vulnrichment

Updated: 2025-04-17T17:41:49.199Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:55.830

Modified: 2026-04-23T15:29:36.177

Link: CVE-2025-39461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:45:03Z

Weaknesses