Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress Gutenberg Blocks advanced-gutenberg allows PHP Local File Inclusion.This issue affects Gutenberg Blocks: from n/a through <= 3.3.1.
Published: 2025-08-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PublishPress Gutenberg Blocks up to version 3.3.1 contains improper control of filename for include/require, allowing local file inclusion. A remote attacker controlling the filename parameter could cause PHP to include arbitrary local files, potentially leading to remote code execution or disclosure of sensitive files. This is a CWE‑98 flaw.

Affected Systems

The affected vendor is PublishPress, product Gutenberg Blocks (advanced‑gutenberg) for WordPress. Versions from the initial release through 3.3.1 are impacted. No specific patch version is listed; guidance points to upgrading beyond 3.3.1.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score is under 1 %, suggesting low current exploitation probability. The vulnerability is not in the CISA KEV catalog. Attackers would need to craft a request that manipulates the filename variable, likely via query string or form input, and may require sufficient WordPress privileges, though the description does not specify. As the flaw is a local inclusion, an attacker could read or execute files on the server, depending on context.

Generated by OpenCVE AI on April 30, 2026 at 09:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gutenberg Blocks to version 3.3.2 or later, eliminating the filename control flaw.
  • Restrict PHP’s include path by configuring open_basedir to the application’s root and preventing inclusion of files outside that directory.
  • Deploy a web application firewall or add URL filtering rules to block requests that contain suspicious file parameters or directory‑traversal sequences such as "../".

Generated by OpenCVE AI on April 30, 2026 at 09:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24751 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress Gutenberg Blocks allows PHP Local File Inclusion. This issue affects Gutenberg Blocks: from n/a through 3.3.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress Gutenberg Blocks allows PHP Local File Inclusion. This issue affects Gutenberg Blocks: from n/a through 3.3.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress Gutenberg Blocks advanced-gutenberg allows PHP Local File Inclusion.This issue affects Gutenberg Blocks: from n/a through <= 3.3.1.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress Gutenberg Blocks allows PHP Local File Inclusion. This issue affects Gutenberg Blocks: from n/a through 3.3.1.
Title WordPress Gutenberg Blocks <= 3.3.1 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:32:48.248Z

Reserved: 2025-05-19T14:14:34.468Z

Link: CVE-2025-48332

cve-icon Vulnrichment

Updated: 2025-08-14T14:22:43.770Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:35.437

Modified: 2026-04-23T15:31:07.387

Link: CVE-2025-48332

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:15:28Z

Weaknesses