Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Estatik Mortgage Calculator Estatik estatik-mortgage-calculator allows PHP Local File Inclusion.This issue affects Mortgage Calculator Estatik: from n/a through <= 2.0.12.
Published: 2025-05-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Estatik Mortgage Calculator Estatik plugin contains an improper control over the filename used in a PHP include/require statement. This flaw allows an attacker to specify a local path, leading to local file inclusion. The vulnerability can expose sensitive files or configuration data, potentially revealing credentials or system information.

Affected Systems

All WordPress sites running the Estatik Mortgage Calculator Estatik plugin version 2.0.12 or earlier are affected. The issue does not affect later releases.

Risk and Exploitability

The CVSS score of 7.5 reflects a high severity flaw, with an EPSS score below 1%, indicating a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker can influence the include parameter, typically through a crafted request to the plugin. If successful, the attacker can read arbitrary local files on the server, which may lead to information disclosure or facilitate further attacks.

Generated by OpenCVE AI on April 30, 2026 at 12:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Estatik Mortgage Calculator Estatik plugin to a version newer than 2.0.12 (e.g., 2.0.13 or later) to apply the vendor's fix.
  • If an upgrade is not immediately possible, remove or disable the plugin's functionality that accepts user‑specified filenames for inclusion to prevent the LFI vector.
  • Harden the WordPress environment by disabling PHP settings that enable arbitrary file inclusion, such as 'allow_url_include', and limiting the include path to trusted directories.
  • Apply input validation on parameters that are used in include/require statements, ensuring that only whitelisted filenames are allowed.

Generated by OpenCVE AI on April 30, 2026 at 12:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15513 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Estatik Mortgage Calculator Estatik allows PHP Local File Inclusion. This issue affects Mortgage Calculator Estatik: from n/a through 2.0.12.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Estatik Mortgage Calculator Estatik allows PHP Local File Inclusion. This issue affects Mortgage Calculator Estatik: from n/a through 2.0.12. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Estatik Mortgage Calculator Estatik estatik-mortgage-calculator allows PHP Local File Inclusion.This issue affects Mortgage Calculator Estatik: from n/a through <= 2.0.12.
Title WordPress Mortgage Calculator Estatik <= 2.0.12 - Local File Inclusion Vulnerability WordPress Mortgage Calculator Estatik plugin <= 2.0.12 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 30 May 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Estatik
Estatik mortgage Calculator
Weaknesses CWE-706
CPEs cpe:2.3:a:estatik:mortgage_calculator:*:*:*:*:*:wordpress:*:*
Vendors & Products Estatik
Estatik mortgage Calculator

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Estatik Mortgage Calculator Estatik allows PHP Local File Inclusion. This issue affects Mortgage Calculator Estatik: from n/a through 2.0.12.
Title WordPress Mortgage Calculator Estatik <= 2.0.12 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Estatik Mortgage Calculator
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:52.191Z

Reserved: 2025-05-15T18:01:40.431Z

Link: CVE-2025-48136

cve-icon Vulnrichment

Updated: 2025-05-16T16:21:50.631Z

cve-icon NVD

Status : Modified

Published: 2025-05-16T16:15:45.527

Modified: 2026-04-23T15:30:51.833

Link: CVE-2025-48136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T13:00:13Z

Weaknesses