Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Greg Winiarski WPAdverts wpadverts allows PHP Local File Inclusion.This issue affects WPAdverts: from n/a through <= 2.2.2.
Published: 2025-05-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filenames supplied to PHP include/require statements in the WPAdverts plugin. This flaw allows an attacker to locally include arbitrary files on the web server, potentially leading to disclosure of sensitive data or execution of malicious code if a specially crafted file is placed in the local file system. The weakness is tracked as CWE‑98 and is not a remote file inclusion flaw despite the name, as the attacker does not need external network access to the target server but must be able to influence the include path on the server.

Affected Systems

The issue affects the WPAdverts plugin for WordPress released by Greg Winiarski version 2.2.2 and earlier. There are no specific sub‑versions beyond 2.2.2 mentioned; any site running those older releases is susceptible.

Risk and Exploitability

With a CVSS score of 7.5 and an EPSS below 1 %, this vulnerability poses a moderate to high risk but is considered relatively unlikely to be actively exploited in the wild. It is not listed in the CISA KEV catalog, indicating no known widespread exploitation. The likely attack vector is local server exploitation, requiring the attacker to influence the include path through the plugin’s input controls – possibly via crafted query parameters or compromised user accounts that can upload files. Because the flaw does not rely on network authentication or remote code execution capabilities, the reasonable assumption is that it requires some level of access to the site’s backend or file system, which lowers the likelihood but also increases the value of remediation.

Generated by OpenCVE AI on April 30, 2026 at 20:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPAdverts to a version newer than 2.2.2 that fixes the local file inclusion issue.
  • If an upgrade is not immediately possible, disable the WPAdverts plugin or remove it from any active installations to stop the vulnerable code path.
  • Configure web server or WordPress file permissions so that the directories writable by the plugin have no PHP execution rights; this prevents an attacker from placing executable files that could be included.

Generated by OpenCVE AI on April 30, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13869 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Greg Winiarski WPAdverts allows PHP Local File Inclusion. This issue affects WPAdverts: from n/a through 2.2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Greg Winiarski WPAdverts allows PHP Local File Inclusion. This issue affects WPAdverts: from n/a through 2.2.2. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Greg Winiarski WPAdverts wpadverts allows PHP Local File Inclusion.This issue affects WPAdverts: from n/a through <= 2.2.2.
Title WordPress WPAdverts <= 2.2.2 - Local File Inclusion Vulnerability WordPress WPAdverts plugin <= 2.2.2 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00147}

 epss

{'score': 0.0017}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Greg Winiarski WPAdverts allows PHP Local File Inclusion. This issue affects WPAdverts: from n/a through 2.2.2.
Title WordPress WPAdverts <= 2.2.2 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:40.918Z

Reserved: 2025-05-07T09:38:32.077Z

Link: CVE-2025-47440

cve-icon Vulnrichment

Updated: 2025-05-07T17:19:37.263Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:15:58.053

Modified: 2026-04-23T15:30:13.120

Link: CVE-2025-47440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:45:36Z

Weaknesses