Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows PHP Local File Inclusion.This issue affects CMSMasters Content Composer: from n/a through < 2.5.7.
Published: 2025-07-04
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in CMSMasters Content Composer where an attacker may supply a crafted filename to an include/require statement in the plugin’s PHP code. This flaw permits the inclusion of arbitrary local files, enabling the reading of sensitive data on the server and, in contexts where executable PHP files can be placed locally, the execution of arbitrary code. The impact is primarily on confidentiality and integrity of the system’s files, and could lead to a full compromise of the affected WordPress site if the attacker can upload or alter local PHP scripts.

Affected Systems

CMSMasters Content Composer plugin versions older than 2.5.7 are affected. The flaw is present in all releases prior to 2.5.7, with no specific sub‑versions listed for remediation.

Risk and Exploitability

The CVSS score is 8.1, indicating a high severity. The EPSS score is below 1 %, suggesting that current exploitation activity is low, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is local: an attacker with the ability to craft a request to the vulnerable plugin or to supply a file path that bypasses validation can trigger the include. Because the flaw is within a plugin on a WordPress installation, a successful exploit could allow reading of configuration files, database credentials or other sensitive data, and potentially lead to full server compromise.

Generated by OpenCVE AI on April 30, 2026 at 09:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CMSMasters Content Composer to version 2.5.7 or newer.
  • If an upgrade is not immediately possible, disable or uninstall the plugin until the patch is applied.
  • Implement input validation on the plugin’s filename parameter, ensuring only allowed, relative paths are accepted, and that no directories beyond the intended include directory can be accessed.

Generated by OpenCVE AI on April 30, 2026 at 09:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-20006 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer allows PHP Local File Inclusion. This issue affects CMSMasters Content Composer: from n/a through n/a.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer allows PHP Local File Inclusion. This issue affects CMSMasters Content Composer: from n/a through n/a. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows PHP Local File Inclusion.This issue affects CMSMasters Content Composer: from n/a through < 2.5.7.
Title WordPress CMSMasters Content Composer < 2.5.7 - Local File Inclusion Vulnerability WordPress CMSMasters Content Composer plugin < 2.5.7 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 08 Jul 2025 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer allows PHP Local File Inclusion. This issue affects CMSMasters Content Composer: from n/a through n/a.
Title WordPress CMSMasters Content Composer < 2.5.7 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:36.640Z

Reserved: 2025-05-07T10:46:04.912Z

Link: CVE-2025-4414

cve-icon Vulnrichment

Updated: 2025-07-07T14:06:50.168Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T12:15:32.617

Modified: 2026-04-23T15:31:57.100

Link: CVE-2025-4414

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:00:16Z

Weaknesses