Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors - Events stm-motors-events allows PHP Local File Inclusion.This issue affects Motors - Events: from n/a through <= 1.4.7.
Published: 2025-06-06
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper handling of the filename used in PHP include/require statements. An unauthenticated attacker can cause the plugin to load arbitrary local files, which may lead to reading sensitive data or executing malicious code. This weakness corresponds to CWE-98 and can allow full remote code execution on the affected WordPress site.

Affected Systems

The affected product is StylemixThemes Motors – Events, a WordPress plugin. Versions up through 1.4.7 are vulnerable; the issue exists from the earliest release through these versions. Any site running one of these versions on a WordPress installation is at risk.

Risk and Exploitability

The CVSS score of 9 indicates critical severity, while the EPSS score of less than 1% suggests low current exploit probability. The vulnerability can be triggered without authentication, making it highly dangerous. Because the flaw allows inclusion of local files, an attacker could potentially run arbitrary PHP code, exfiltrate data, or compromise the entire WordPress environment. The risk is further elevated by the lack of a CISA KEV listing, indicating no known active exploitation, but the severity warrants immediate action.

Generated by OpenCVE AI on April 30, 2026 at 12:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Motors – Events plugin to version 1.4.8 or later to apply the vendor patch.
  • If an upgrade is temporarily infeasible, disable or remove the plugin entirely to block the vulnerability.
  • Review the server’s file permissions and configuration to ensure that local files are protected and that PHP’s allow_url_include is disabled.

Generated by OpenCVE AI on April 30, 2026 at 12:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17129 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors - Events allows PHP Local File Inclusion.This issue affects Motors - Events: from n/a through 1.4.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors - Events allows PHP Local File Inclusion.This issue affects Motors - Events: from n/a through 1.4.7. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors - Events stm-motors-events allows PHP Local File Inclusion.This issue affects Motors - Events: from n/a through <= 1.4.7.
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Fri, 06 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors - Events allows PHP Local File Inclusion.This issue affects Motors - Events: from n/a through 1.4.7.
Title WordPress Motors - Events plugin <= 1.4.7 - Unauthenticated Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:46.415Z

Reserved: 2025-05-07T09:55:31.578Z

Link: CVE-2025-47586

cve-icon Vulnrichment

Updated: 2025-06-06T14:52:33.547Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T12:15:23.477

Modified: 2026-04-23T15:30:32.920

Link: CVE-2025-47586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:15:36Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')