Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GravityWP GravityWP - Merge Tags gravitywp-merge-tags allows PHP Local File Inclusion.This issue affects GravityWP - Merge Tags: from n/a through <= 1.4.4.
Published: 2025-08-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The identified vulnerability is a Local File Inclusion flaw in the GravityWP Merge Tags plugin. Improper control of the filename supplied to a PHP include/require statement allows an attacker to read any file on the server, potentially executing arbitrary code. This results in a loss of confidentiality and integrity with the possibility of full Remote Code Execution.

Affected Systems

GravityWP’s Merge Tags plugin for WordPress. All installations of the plugin with a version of 1.4.4 or earlier are impacted. No specific starting version was provided, so any version up to and including 1.4.4 is considered vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability, with the EPSS score below 1% reflecting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the web interface, since the plugin processes input from request parameters that control the file path. Because the flaw arises from unsanitized user input, an attacker could craft a request to include arbitrary files, potentially triggering code execution if PHP files are read.

Generated by OpenCVE AI on April 30, 2026 at 09:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GravityWP Merge Tags plugin to version 1.4.5 or later.
  • If an update is not yet available, deactivate or uninstall the plugin until a patch is released to prevent the LFI.
  • Restrict the file permissions of the plugin directory to the minimum required, for example set the directory to 700 and ensure the web server cannot read or execute files outside of the intended scope.

Generated by OpenCVE AI on April 30, 2026 at 09:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24774 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GravityWP GravityWP - Merge Tags allows PHP Local File Inclusion. This issue affects GravityWP - Merge Tags: from n/a through 1.4.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GravityWP GravityWP - Merge Tags allows PHP Local File Inclusion. This issue affects GravityWP - Merge Tags: from n/a through 1.4.4. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GravityWP GravityWP - Merge Tags gravitywp-merge-tags allows PHP Local File Inclusion.This issue affects GravityWP - Merge Tags: from n/a through <= 1.4.4.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 14 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GravityWP GravityWP - Merge Tags allows PHP Local File Inclusion. This issue affects GravityWP - Merge Tags: from n/a through 1.4.4.
Title WordPress GravityWP - Merge Tags <= 1.4.4 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:32:34.814Z

Reserved: 2025-06-04T09:41:22.715Z

Link: CVE-2025-49271

cve-icon Vulnrichment

Updated: 2025-08-14T16:02:41.767Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:40.030

Modified: 2026-04-23T15:31:21.913

Link: CVE-2025-49271

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:15:28Z

Weaknesses