Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Xylus Themes XT Event Widget for Social Events xt-facebook-events allows PHP Local File Inclusion.This issue affects XT Event Widget for Social Events: from n/a through <= 1.1.7.
Published: 2025-05-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The XT Event Widget for Social Events plugin for WordPress contains an improper handling of the filename used in a PHP include/require statement, allowing an attacker to request inclusion of arbitrary local files. This flaw maps to CWE‑98 and can potentially expose sensitive content or allow execution of unintended code if the included file contains PHP that will be interpreted by the server.

Affected Systems

WordPress sites that have the Xylus Themes XT Event Widget for Social Events plugin version 1.1.7 or earlier installed. The plugin is distributed as a standard WordPress add‑on and is identified as Xylus Themes XT Event Widget for Social Events.

Risk and Exploitability

The CVSS score of 7.5 indicates a high risk from a confidentiality and integrity perspective. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is the local web server: an attacker with access to craft a request that triggers the insecure include, such as through a specially formed URL or query string that is processed by the plugin. Because the flaw relies on file inclusion on the local filesystem, it may be mitigated by restricting file permissions or removing the plugin entirely.

Generated by OpenCVE AI on May 1, 2026 at 08:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the XT Event Widget for Social Events plugin to a version newer than 1.1.7 or apply the vendor’s published patch.
  • If an upgrade cannot be performed immediately, disable or delete the plugin from the site to stop the vulnerable code path.
  • As a temporary fix, modify the plugin’s include/require call to enforce strict filename validation, such as using basename() or a whitelist of allowed paths, or configure the PHP runtime to restrict include operations via open_basedir or .htaccess rules.

Generated by OpenCVE AI on May 1, 2026 at 08:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13799 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Xylus Themes XT Event Widget for Social Events allows PHP Local File Inclusion. This issue affects XT Event Widget for Social Events: from n/a through 1.1.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Xylus Themes XT Event Widget for Social Events allows PHP Local File Inclusion. This issue affects XT Event Widget for Social Events: from n/a through 1.1.7. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Xylus Themes XT Event Widget for Social Events xt-facebook-events allows PHP Local File Inclusion.This issue affects XT Event Widget for Social Events: from n/a through <= 1.1.7.
Title WordPress XT Event Widget for Social Events <= 1.1.7 - Local File Inclusion Vulnerability WordPress XT Event Widget for Social Events plugin <= 1.1.7 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 12 Jan 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Xylusthemes
Xylusthemes xt Event Widget For Social Events
CPEs cpe:2.3:a:xylusthemes:xt_event_widget_for_social_events:*:*:*:*:*:wordpress:*:*
Vendors & Products Xylusthemes
Xylusthemes xt Event Widget For Social Events

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00147}

 epss

{'score': 0.0017}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Xylus Themes XT Event Widget for Social Events allows PHP Local File Inclusion. This issue affects XT Event Widget for Social Events: from n/a through 1.1.7.
Title WordPress XT Event Widget for Social Events <= 1.1.7 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Xylusthemes Xt Event Widget For Social Events
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:44.156Z

Reserved: 2025-05-07T09:39:46.952Z

Link: CVE-2025-47531

cve-icon Vulnrichment

Updated: 2025-05-07T17:19:29.787Z

cve-icon NVD

Status : Modified

Published: 2025-05-07T15:16:10.197

Modified: 2026-04-23T15:30:25.920

Link: CVE-2025-47531

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:00:12Z

Weaknesses