Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Event Manager WP Event Manager wp-event-manager allows PHP Local File Inclusion.This issue affects WP Event Manager: from n/a through <= 3.1.51.
Published: 2025-06-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WP Event Manager plugins up to version 3.1.51 contain a flaw where the filename used in a PHP include statement is not properly validated. This allows an attacker to influence the path of the included file, potentially leading to the inclusion of local or remote files. The vulnerability is identified as CWE‑98. On a compromised system, an attacker can execute arbitrary PHP code or disclose sensitive files, impacting confidentiality, integrity, and availability of the affected WordPress installation.

Affected Systems

WordPress sites running the WP Event Manager plugin at any version from the initial release through 3.1.51 are impacted. Sites that have not upgraded past 3.1.51 remain vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. The EPSS score is listed as < 1%, implying a very low probability of exploitation at the time of this analysis. This vulnerability is not included in the CISA KEV catalog. Attackers would likely need local file write or a crafted action that triggers the faulty include. If the include resolves to a remote file, remote code execution could be achieved, but the conditions for such exploitation appear to be limited.

Generated by OpenCVE AI on April 30, 2026 at 18:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading the WP Event Manager plugin to the latest stable release (>= 3.1.52) which fixes the local file inclusion flaw.
  • Block the vulnerable inclusion by restricting the plugin’s directory permissions or using .htaccess rules to deny requests to paths that trigger the include logic, limiting the attack surface until an update can be applied.
  • Configure PHP to further mitigate inclusion risks: set allow_url_include to Off and enable open_basedir to restrict file system access to the web root, ensuring that even if the vulnerable code is executed, it cannot read arbitrary files.

Generated by OpenCVE AI on April 30, 2026 at 18:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17527 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Event Manager WP Event Manager allows PHP Local File Inclusion. This issue affects WP Event Manager: from n/a through 3.1.49.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Event Manager WP Event Manager allows PHP Local File Inclusion. This issue affects WP Event Manager: from n/a through 3.1.49. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Event Manager WP Event Manager wp-event-manager allows PHP Local File Inclusion.This issue affects WP Event Manager: from n/a through <= 3.1.51.
Title WordPress WP Event Manager <= 3.1.49 - Local File Inclusion Vulnerability WordPress WP Event Manager plugin <= 3.1.51 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00151}

 epss

{'score': 0.00165}

Tue, 10 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Event Manager WP Event Manager allows PHP Local File Inclusion. This issue affects WP Event Manager: from n/a through 3.1.49.
Title WordPress WP Event Manager <= 3.1.49 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:52.117Z

Reserved: 2025-05-15T18:01:28.792Z

Link: CVE-2025-48125

cve-icon Vulnrichment

Updated: 2025-06-10T13:41:29.680Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:42.840

Modified: 2026-04-23T15:30:50.453

Link: CVE-2025-48125

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:15:06Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')