Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Chill Download Monitor download-monitor allows PHP Local File Inclusion.This issue affects Download Monitor: from n/a through <= 5.0.22.
Published: 2025-05-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is due to improper validation of a filename before it is included in PHP code. This flaw allows an attacker to supply an arbitrary path in a request that is processed by WP Chill Download Monitor and can result in local files being read or executed. The weakness is classified as CWE‑98, and if an attacker is able to manipulate the include path, the local inclusion can lead to disclosure of sensitive data or execution of malicious code on the server.

Affected Systems

The issue affects the WordPress Download Monitor plugin with versions from the earliest release through 5.0.22. System administrators should check whether any site installs this plugin and whether it is in a vulnerable version.

Risk and Exploitability

The CVSS score of 7.5 reflects a high impact for a local file inclusion flaw. The EPSS score is below 1 %, indicating that exploitation is considered rare but not impossible; it does not appear in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated HTTP request that supplies a crafted file name, which the vulnerable plugin will process with an insecure include. This attack does not require elevated privileges, but the target must be accessible from the Internet. Monitoring and limiting inbound traffic to the vulnerable download URLs can reduce the attack surface.

Generated by OpenCVE AI on May 1, 2026 at 08:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Download Monitor plugin to version 5.0.23 or later, which contains the necessary include‑path validation fix.
  • If an immediate update cannot be performed, restrict or block access to the download endpoints (for example with .htaccess rules or firewall rules) to prevent the insecure inclusion from being triggered.
  • As a temporary safeguard, apply strict file‑permission restrictions to the web root and enable logging of include actions so that any attempted exploitation can be detected and investigated.

Generated by OpenCVE AI on May 1, 2026 at 08:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13870 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Chill Download Monitor allows PHP Local File Inclusion. This issue affects Download Monitor: from n/a through 5.0.22.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Chill Download Monitor allows PHP Local File Inclusion. This issue affects Download Monitor: from n/a through 5.0.22. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Chill Download Monitor download-monitor allows PHP Local File Inclusion.This issue affects Download Monitor: from n/a through <= 5.0.22.
Title WordPress Download Monitor <= 5.0.22 - Local File Inclusion Vulnerability WordPress Download Monitor plugin <= 5.0.22 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00147}

 epss

{'score': 0.0017}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Chill Download Monitor allows PHP Local File Inclusion. This issue affects Download Monitor: from n/a through 5.0.22.
Title WordPress Download Monitor <= 5.0.22 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:40.906Z

Reserved: 2025-05-07T09:38:32.076Z

Link: CVE-2025-47439

cve-icon Vulnrichment

Updated: 2025-05-07T17:19:39.844Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:15:57.893

Modified: 2026-04-23T15:30:12.990

Link: CVE-2025-47439

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:00:12Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')