Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in solwin Blog Designer PRO blog-designer-pro.This issue affects Blog Designer PRO: from n/a through <= 3.4.7.
Published: 2025-08-31
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper control of the filename used in an include/require statement allows an unauthenticated attacker to trigger a local file inclusion vulnerability in the solwin Blog Designer PRO plugin. This flaw permits the attacker to read sensitive files, such as configuration files or passwords, and may expose confidential data. The attack does not require authentication and is limited to the files the plugin accesses.

Affected Systems

The vulnerability affects the solwin Blog Designer PRO WordPress plugin, version 3.4.7 and earlier. No specific lower bound is documented, so any release up to 3.4.7 is potentially impacted. All WordPress sites using this plugin should verify their installed version and plan an upgrade if they are running a vulnerable build.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. Because the vulnerability is unauthenticated, no prior access or credentials are required, simplifying the attack. The flaw is not recognized in the CISA KEV catalog; once patched, the plugin will no longer allow local file inclusion that could expose sensitive data.

Generated by OpenCVE AI on May 1, 2026 at 06:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Blog Designer PRO plugin to version 3.4.8 or later.
  • If immediate upgrade is not possible, temporarily deactivate the plugin to prevent exploitation until the patch is applied.
  • After the upgrade, delete the old plugin files from the server to remove any remaining vulnerable code.

Generated by OpenCVE AI on May 1, 2026 at 06:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26283 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Solwin Blog Designer PRO.This issue affects Blog Designer PRO: from n/a through 3.4.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Solwin Blog Designer PRO.This issue affects Blog Designer PRO: from n/a through 3.4.7. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in solwin Blog Designer PRO blog-designer-pro.This issue affects Blog Designer PRO: from n/a through <= 3.4.7.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 02 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Sep 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Solwin
Solwin blog Designer Pro
Wordpress
Wordpress wordpress
Vendors & Products Solwin
Solwin blog Designer Pro
Wordpress
Wordpress wordpress

Sun, 31 Aug 2025 04:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Solwin Blog Designer PRO.This issue affects Blog Designer PRO: from n/a through 3.4.7.
Title WordPress Blog Designer PRO plugin <= 3.4.7 - Unauthenticated Non-Arbitrary Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Solwin Blog Designer Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:50.334Z

Reserved: 2025-05-07T10:45:47.047Z

Link: CVE-2025-47696

cve-icon Vulnrichment

Updated: 2025-09-02T20:33:53.175Z

cve-icon NVD

Status : Deferred

Published: 2025-08-31T04:15:54.143

Modified: 2026-04-23T15:30:45.847

Link: CVE-2025-47696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:30:10Z

Weaknesses