Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GhozyLab Popup Builder easy-notify-lite allows PHP Local File Inclusion.This issue affects Popup Builder: from n/a through <= 1.1.35.
Published: 2025-04-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of the filename used in a PHP include/require statement allows an attacker to read any file on the local filesystem via the Popup Builder plugin. This flaw is classified as CWE‑98, Improper Control of Filename. This local file inclusion can lead to disclosure of sensitive data or, if an attacker can supply a path pointing to a PHP file, potentially execute arbitrary code on the server, compromising confidentiality, integrity, or availability of the affected WordPress site.

Affected Systems

The vulnerability affects the GhozyLab Popup Builder easy-notify-lite plugin version 1.1.35 and all prior releases. Any WordPress site that installs or keeps this plugin at those versions is at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score of less than 1 percent suggests that exploitation is currently rare. The defect is not listed in the CISA KEV catalog. The likely attack vector involves an attacker who can influence the file path parameter used by the plugin, which could be done via a publicly accessible endpoint or by bypassing authentication if the plugin accepts input from non‑logged‑in users. Successful exploitation could result in local file reading or code execution.

Generated by OpenCVE AI on May 1, 2026 at 09:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Popup Builder easy-notify-lite plugin to version 1.1.36 or newer.
  • If an upgrade is not immediately possible, remove the plugin or disable it to prevent the vulnerable code from executing.
  • Ensure that all WordPress installations enforce least privilege on file access and restrict directory traversal through web server configuration as an additional safeguard.

Generated by OpenCVE AI on May 1, 2026 at 09:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12086 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GhozyLab Popup Builder allows PHP Local File Inclusion. This issue affects Popup Builder: from n/a through 1.1.35.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GhozyLab Popup Builder allows PHP Local File Inclusion. This issue affects Popup Builder: from n/a through 1.1.35. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GhozyLab Popup Builder easy-notify-lite allows PHP Local File Inclusion.This issue affects Popup Builder: from n/a through <= 1.1.35.
Title WordPress Popup Builder <= 1.1.35 - Local File Inclusion Vulnerability WordPress Popup Builder plugin <= 1.1.35 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GhozyLab Popup Builder allows PHP Local File Inclusion. This issue affects Popup Builder: from n/a through 1.1.35.
Title WordPress Popup Builder <= 1.1.35 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ghozylab Popup Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:13:43.900Z

Reserved: 2025-04-22T08:46:38.826Z

Link: CVE-2025-46230

cve-icon Vulnrichment

Updated: 2025-04-24T19:53:30.388Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:33.787

Modified: 2026-04-23T15:29:54.820

Link: CVE-2025-46230

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:15:13Z

Weaknesses