Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Cena Store cena allows PHP Local File Inclusion.This issue affects Cena Store: from n/a through <= 2.11.26.
Published: 2025-08-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by improper validation of filenames used in PHP include/require statements within the Cena Store plugin. An attacker who can provide a crafted path could cause the plugin to include arbitrary local files, which may enable reading sensitive data or executing code in the PHP context. The description indicates that the inclusion is performed locally, so the attack vector is likely local and may require access to the plugin interface.

Affected Systems

The issue affects the thembay Cena Store WordPress plugin for versions 2.11.26 and earlier. All installations of these versions are vulnerable whenever the plugin is active.

Risk and Exploitability

The CVSS score of 8.1 places the issue in the high severity range. The EPSS score is below 1 %, indicating a low probability of exploitation at present. It is not listed in CISA’s KEV catalog. Exploitation would require an attacker to supply a file path that the plugin accepts for inclusion; such a path is likely obtained via a local plugin interface and is therefore inferred rather than guaranteed.

Generated by OpenCVE AI on April 30, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cena Store plugin to a version newer than 2.11.26
  • If an upgrade is not immediately feasible, disable or remove the plugin to eliminate the attack vector
  • If the plugin must remain active, review its configuration to ensure that no user-supplied paths are passed to include or require statements

Generated by OpenCVE AI on April 30, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25373 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Cena Store allows PHP Local File Inclusion. This issue affects Cena Store: from n/a through 2.11.26.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Cena Store allows PHP Local File Inclusion. This issue affects Cena Store: from n/a through 2.11.26. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Cena Store cena allows PHP Local File Inclusion.This issue affects Cena Store: from n/a through <= 2.11.26.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Cena Store allows PHP Local File Inclusion. This issue affects Cena Store: from n/a through 2.11.26.
Title WordPress Cena Store <= 2.11.26 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:53.172Z

Reserved: 2025-05-15T18:02:16.098Z

Link: CVE-2025-48171

cve-icon Vulnrichment

Updated: 2025-08-20T17:42:33.996Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:33.180

Modified: 2026-04-23T15:30:55.707

Link: CVE-2025-48171

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:00:13Z

Weaknesses