Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in tggfref WP-Recall allows PHP Local File Inclusion. This issue affects WP-Recall: from n/a through 16.26.14.
Published: 2025-05-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP-Recall plugin contains an include/require statement that accepts a filename parameter without proper validation. An attacker can supply a crafted path that causes the plugin to load an arbitrary local file, allowing the attacker to read sensitive files such as configuration or log files. Based on the description, it is inferred that if the attacker supplies content that is later included as executable code, remote code execution could be possible. This vulnerability could thus compromise the confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

All supported releases of the WP-Recall WordPress plugin up to and including version 16.26.14 are affected. The vulnerability applies to every installation that has the plugin downgraded to or running these versions.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact if exploited, while the EPSS score of less than 1% suggests that exploitation is not currently common. The vulnerability is not listed in the CISA KEV catalog. An attacker would typically trigger the flaw by sending a crafted request containing a malicious file path to the plugin’s include endpoint, which is accessible via normal web traffic. Based on the description, it is inferred that successful exploitation could expose sensitive data or allow code execution, posing a serious risk to confidentiality, integrity, and availability of the affected WordPress site.

Generated by OpenCVE AI on April 30, 2026 at 20:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP-Recall to the latest version that contains the fix (at least 16.26.15).
  • If an immediate upgrade cannot be performed, temporarily disable or remove the WP-Recall plugin from the WordPress installation to prevent the vulnerability from being exploitable.
  • Implement additional defense-in-depth measures such as restricting file permissions on the WordPress installation, configuring the web server to block execution of PHP in directories that should not contain scripts, and validating all user-supplied file paths on the server side.

Generated by OpenCVE AI on April 30, 2026 at 20:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13742 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in tggfref WP-Recall allows PHP Local File Inclusion. This issue affects WP-Recall: from n/a through 16.26.14.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in tggfref WP-Recall wp-recall allows PHP Local File Inclusion.This issue affects WP-Recall: from n/a through <= 16.26.14. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in tggfref WP-Recall allows PHP Local File Inclusion. This issue affects WP-Recall: from n/a through 16.26.14.
Title WordPress WP-Recall plugin <= 16.26.14 - Local File Inclusion Vulnerability WordPress WP-Recall <= 16.26.14 - Local File Inclusion Vulnerability
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in tggfref WP-Recall allows PHP Local File Inclusion. This issue affects WP-Recall: from n/a through 16.26.14. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in tggfref WP-Recall wp-recall allows PHP Local File Inclusion.This issue affects WP-Recall: from n/a through <= 16.26.14.
Title WordPress WP-Recall <= 16.26.14 - Local File Inclusion Vulnerability WordPress WP-Recall plugin <= 16.26.14 - Local File Inclusion Vulnerability
References

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00147}

 epss

{'score': 0.0017}

Wed, 07 May 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in tggfref WP-Recall allows PHP Local File Inclusion. This issue affects WP-Recall: from n/a through 16.26.14.
Title WordPress WP-Recall <= 16.26.14 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:48.004Z

Reserved: 2025-05-07T10:45:13.130Z

Link: CVE-2025-47653

cve-icon Vulnrichment

Updated: 2025-05-07T20:39:30.455Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:17.860

Modified: 2026-04-28T19:32:31.213

Link: CVE-2025-47653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:30:26Z

Weaknesses