Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SEUR OFICIAL SEUR Oficial seur allows PHP Local File Inclusion.This issue affects SEUR Oficial: from n/a through <= 2.2.23.
Published: 2025-05-23
Score: 8.1 High
EPSS: 2.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by improper validation of filenames used in PHP include/require statements within the SEUR Oficial WordPress plugin. This defect lets an attacker supply crafted input that causes the plugin to include arbitrary local files, which could be used to read sensitive configuration data or execute malicious PHP code. The impact includes disclosure of confidential information, alteration of web content, or full compromise of the affected WordPress site. The weakness is identified as CWE‑98, representing Improper Control of Filename for Include/Require.

Affected Systems

Affected systems are installations of the SEUR Oficial WordPress plugin version 2.2.23 or earlier. The vendor is SEUR OFICIAL. The vulnerability applies to all WordPress sites that have the plugin active before upgrading beyond the stated version. No specific operating system dependency is mentioned, but the issue exists on any server running PHP with WordPress.

Risk and Exploitability

Based on the description, the likely attack vector is a crafted HTTP request to a WordPress page that loads the plugin’s include logic. The exploit requires only web access to the vulnerable site; no additional credentials are needed. Because the inclusion path is not sanitized, the attacker can specify a path to any file on the server, enabling data disclosure or execution of PHP code. While the EPSS score of 2% indicates a low exploitation probability, the simplicity of the attack path and high CVSS score mean that the vulnerability demands immediate attention, especially on exposed WordPress installations.

Generated by OpenCVE AI on June 9, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Immediately upgrade the SEUR Oficial plugin to a version newer than 2.2.23 that addresses the LFI flaw.
  • If an upgrade is not yet available or cannot be applied, deactivate and delete the SEUR Oficial plugin from the WordPress installation to eliminate the attack surface.
  • As an interim workaround, modify the plugin’s source code to hard‑code safe include paths or remove the dynamic include logic, and set restrictive file permissions on the directories that contain sensitive files; then restart the web server.
  • Ensure all other WordPress components, themes, and plugins are kept up to date, and configure web application firewalls to block anomalous file inclusion patterns.

Generated by OpenCVE AI on June 9, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28051 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SEUR OFICIAL SEUR Oficial allows PHP Local File Inclusion. This issue affects SEUR Oficial: from n/a through 2.2.23.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SEUR OFICIAL SEUR Oficial allows PHP Local File Inclusion. This issue affects SEUR Oficial: from n/a through 2.2.23. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SEUR OFICIAL SEUR Oficial seur allows PHP Local File Inclusion.This issue affects SEUR Oficial: from n/a through <= 2.2.23.
Title WordPress SEUR Oficial <= 2.2.23 - Local File Inclusion Vulnerability WordPress SEUR Oficial plugin <= 2.2.23 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SEUR OFICIAL SEUR Oficial allows PHP Local File Inclusion. This issue affects SEUR Oficial: from n/a through 2.2.23.
Title WordPress SEUR Oficial <= 2.2.23 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:38.585Z

Reserved: 2025-04-24T14:22:47.048Z

Link: CVE-2025-46474

cve-icon Vulnrichment

Updated: 2025-05-23T14:50:34.656Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:35.673

Modified: 2026-04-23T15:30:04.093

Link: CVE-2025-46474

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T14:45:07Z

Weaknesses