Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress PublishPress Authors publishpress-authors allows PHP Local File Inclusion.This issue affects PublishPress Authors: from n/a through <= 4.7.5.
Published: 2025-05-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The PublishPress Authors plugin contains a flaw where the filename used in PHP include/require statements is not properly controlled. This improper handling allows an attacker to influence which local file is included, potentially leading to execution of arbitrary code on the server. The flaw is a CWE‑98: Improper Control of Filename for Include/Require Statement. The severity rating of 7.5 reflects the high impact due to code execution capability and widespread availability of the plugin.

Affected Systems

The vulnerability is present in all released versions of the PublishPress Authors plugin up through 4.7.5. Any WordPress site that has this plugin installed and has not upgraded beyond version 4.7.5 is affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high risk, while the EPSS score of less than 1% suggests that exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog. The weakness type is CWE‑98, which can allow an attacker to include arbitrary local files by manipulating user input or crafted requests to the plugin's endpoint. The lack of a public list of exploits further implies that this vulnerability may be challenging to exploit in a real-world scenario.

Generated by OpenCVE AI on May 2, 2026 at 01:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PublishPress Authors plugin to version 4.7.6 or later
  • Restrict the value used for the include/require statement by validating input against a whitelist of allowed filenames, addressing the CWE‑98 flaw
  • Configure the web server to prevent execution of files in directories used for includes or uploads, ensuring that arbitrary PHP files cannot be run

Generated by OpenCVE AI on May 2, 2026 at 01:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13827 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress PublishPress Authors allows PHP Local File Inclusion. This issue affects PublishPress Authors: from n/a through 4.7.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress PublishPress Authors allows PHP Local File Inclusion. This issue affects PublishPress Authors: from n/a through 4.7.5. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress PublishPress Authors publishpress-authors allows PHP Local File Inclusion.This issue affects PublishPress Authors: from n/a through <= 4.7.5.
Title WordPress PublishPress Authors <= 4.7.5 - Local File Inclusion Vulnerability WordPress PublishPress Authors plugin <= 4.7.5 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00147}

 epss

{'score': 0.0017}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress PublishPress Authors allows PHP Local File Inclusion. This issue affects PublishPress Authors: from n/a through 4.7.5.
Title WordPress PublishPress Authors <= 4.7.5 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:42.896Z

Reserved: 2025-05-07T09:39:15.825Z

Link: CVE-2025-47496

cve-icon Vulnrichment

Updated: 2025-05-07T14:47:08.852Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:04.017

Modified: 2026-04-23T15:30:20.120

Link: CVE-2025-47496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:45:26Z

Weaknesses