Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in svil4ok Meta Keywords & Description wp-meta-keywords-meta-description allows PHP Local File Inclusion.This issue affects Meta Keywords & Description: from n/a through <= 0.8.
Published: 2025-05-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper validation of filenames used in PHP include/require statements within the svil4ok Meta Keywords & Description plugin. The flaw allows local file inclusion, which can enable an attacker to read sensitive files or potentially execute arbitrary PHP code if crafted correctly, resulting in a breach of confidentiality, integrity, or availability. The weakness corresponds to CWE‑98.

Affected Systems

Affected WordPress sites that have installed the svil4ok Meta Keywords & Description plugin at version 0.8 or earlier. No specific PHP or WordPress version requirements are mentioned, so any WordPress deployment with the vulnerable plugin is impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, but the EPSS score is under 1%, suggesting a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. An attacker could potentially trigger the inclusion by sending a crafted request to the plugin’s include endpoint; however, the precise authentication prerequisites are not disclosed, so it is inferred that either any visitor or a privileged user could exploit it depending on the plugin’s exposure.

Generated by OpenCVE AI on April 30, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to version 0.9 or newer, or uninstall it if not required.
  • If an update cannot be applied immediately, disable the plugin or block access to its endpoints so the vulnerable include paths are not reachable.
  • Restrict file permissions on the WordPress installation so the web server cannot read arbitrary files, and monitor access logs for suspicious include requests.

Generated by OpenCVE AI on April 30, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28044 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in svil4ok Meta Keywords &amp; Description allows PHP Local File Inclusion. This issue affects Meta Keywords &amp; Description: from n/a through 0.8.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in svil4ok Meta Keywords &amp; Description wp-meta-keywords-meta-description allows PHP Local File Inclusion.This issue affects Meta Keywords &amp; Description: from n/a through <= 0.8. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in svil4ok Meta Keywords & Description wp-meta-keywords-meta-description allows PHP Local File Inclusion.This issue affects Meta Keywords & Description: from n/a through <= 0.8.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in svil4ok Meta Keywords &amp; Description allows PHP Local File Inclusion. This issue affects Meta Keywords &amp; Description: from n/a through 0.8. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in svil4ok Meta Keywords &amp; Description wp-meta-keywords-meta-description allows PHP Local File Inclusion.This issue affects Meta Keywords &amp; Description: from n/a through <= 0.8.
Title WordPress Meta Keywords & Description <= 0.8 - Local File Inclusion Vulnerability WordPress Meta Keywords & Description plugin <= 0.8 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in svil4ok Meta Keywords &amp; Description allows PHP Local File Inclusion. This issue affects Meta Keywords &amp; Description: from n/a through 0.8.
Title WordPress Meta Keywords & Description <= 0.8 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.681Z

Reserved: 2025-04-24T14:22:30.736Z

Link: CVE-2025-46454

cve-icon Vulnrichment

Updated: 2025-05-23T13:43:36.166Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:34.620

Modified: 2026-04-28T19:32:12.843

Link: CVE-2025-46454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:15:16Z

Weaknesses