Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange miniOrange Discord Integration miniorange-discord-integration allows PHP Local File Inclusion.This issue affects miniOrange Discord Integration: from n/a through <= 2.2.2.
Published: 2025-05-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper validation of filenames in the include/require statements of the miniorange-discord-integration plugin. An attacker could supply crafted input that causes the plugin to read or execute arbitrary local files, potentially exposing sensitive data or enabling code execution on the server. This flaw corresponds to CWE‑98.

Affected Systems

Affecting all installations of the miniOrange Discord Integration WordPress plugin up to and including version 2.2.2. The issue is present across all earlier releases, and no fix is available in those versions.

Risk and Exploitability

With a CVSS score of 8.1 the flaw is considered high severity, but the EPSS score of less than 1% indicates a very low likelihood of exploitation. Based on the description, the likely attack vector is inferred to involve supplying a malicious filename through a plugin endpoint. The vulnerability does not appear in the CISA KEV catalogue. Exploitation would typically require the attacker to supply a malicious filename value to the plugin’s file inclusion logic, which could be achieved through public endpoints or administrative interfaces of the WordPress site. No authentication is explicitly required, but the exact attack path depends on how the plugin is exposed.

Generated by OpenCVE AI on April 30, 2026 at 19:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade miniOrange Discord Integration to the latest version (2.2.3 or newer) where the file inclusion validation has been fixed.
  • If an upgrade is unavailable, immediately disable the file inclusion feature or restrict the plugin’s configuration to disallow dynamic paths.
  • Deploy a web application firewall rule to block requests containing suspicious path traversal characters or null bytes in parameters used by the plugin.

Generated by OpenCVE AI on April 30, 2026 at 19:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28116 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange miniOrange Discord Integration allows PHP Local File Inclusion. This issue affects miniOrange Discord Integration: from n/a through 2.2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange miniOrange Discord Integration allows PHP Local File Inclusion. This issue affects miniOrange Discord Integration: from n/a through 2.2.2. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange miniOrange Discord Integration miniorange-discord-integration allows PHP Local File Inclusion.This issue affects miniOrange Discord Integration: from n/a through <= 2.2.2.
Title WordPress miniOrange Discord Integration <= 2.2.2 - Local File Inclusion Vulnerability WordPress miniOrange Discord Integration plugin <= 2.2.2 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange miniOrange Discord Integration allows PHP Local File Inclusion. This issue affects miniOrange Discord Integration: from n/a through 2.2.2.
Title WordPress miniOrange Discord Integration <= 2.2.2 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:49.047Z

Reserved: 2025-05-07T10:45:27.459Z

Link: CVE-2025-47672

cve-icon Vulnrichment

Updated: 2025-05-23T16:54:50.710Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:42.807

Modified: 2026-04-23T15:30:43.260

Link: CVE-2025-47672

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:30:26Z

Weaknesses