Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Unlock Lite subscribe-to-unlock-lite allows PHP Local File Inclusion.This issue affects Subscribe to Unlock Lite: from n/a through <= 1.3.0.
Published: 2025-04-16
Score: 7.5 High
EPSS: 1.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of filename for include or require statements in the WordPress Subscribe to Unlock Lite plugin allows local file inclusion. Based on the description, it is inferred that this could enable an attacker to read sensitive files or execute code stored on the server. The vulnerability is identified as CWE-98 and can lead to full compromise of the affected WordPress site if the attacker uploads malicious content and then triggers the include path. Based on the description, it is inferred that the impact spans confidentiality, integrity, and availability of the website and its data.

Affected Systems

The vulnerability affects the WordPress Subscribe to Unlock Lite plugin by WP Shuffle, specifically all installed versions up to and including 1.3.0. No other vendors or products are listed as affected.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability is considered high severity. However, the EPSS score is 2 % and the vulnerability is not listed in CISA’s KEV catalog, indicating a low to very low likelihood of widespread exploitation. The likely attack vector is through the website’s request handling where unvalidated path parameters are passed to an include or require statement, allowing the attacker to control the path of a local file.

Generated by OpenCVE AI on May 25, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Subscribe to Unlock Lite to a version newer than 1.3.0, which removes the vulnerable include logic.
  • If an upgrade is not immediately possible, isolate the plugin by blocking direct access to its include paths via the web server or an application firewall.
  • Configure the WordPress environment to disable PHP’s allow_url_include setting and validate or hard‑code file paths before inclusion to prevent future LFI issues.

Generated by OpenCVE AI on May 25, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11297 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Unlock Lite allows PHP Local File Inclusion. This issue affects Subscribe to Unlock Lite: from n/a through 1.3.0.
History

Fri, 24 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Unlock Lite allows PHP Local File Inclusion. This issue affects Subscribe to Unlock Lite: from n/a through 1.3.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Unlock Lite subscribe-to-unlock-lite allows PHP Local File Inclusion.This issue affects Subscribe to Unlock Lite: from n/a through <= 1.3.0.
Title WordPress Subscribe to Unlock Lite <= 1.3.0 - Local File Inclusion Vulnerability WordPress Subscribe to Unlock Lite plugin <= 1.3.0 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 16 Apr 2025 12:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Unlock Lite allows PHP Local File Inclusion. This issue affects Subscribe to Unlock Lite: from n/a through 1.3.0.
Title WordPress Subscribe to Unlock Lite <= 1.3.0 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:35.396Z

Reserved: 2025-04-16T06:26:52.002Z

Link: CVE-2025-39592

cve-icon Vulnrichment

Updated: 2025-04-16T14:12:13.277Z

cve-icon NVD

Status : Deferred

Published: 2025-04-16T13:15:51.950

Modified: 2026-04-23T15:29:51.120

Link: CVE-2025-39592

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T15:15:28Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')