Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Acato WP REST Cache wp-rest-cache allows PHP Local File Inclusion.This issue affects WP REST Cache: from n/a through <= 2025.1.0.
Published: 2025-08-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filename for include/require in the Acato WP REST Cache plugin, enabling PHP Local File Inclusion. This flaw can allow an attacker to read arbitrary files from the server, potentially exposing sensitive configuration, credentials, or other confidential data. The issue is classified as CWE‑98 and carries a CVSS score of 7.5, indicating a moderate to high severity level.

Affected Systems

Affected components are the Acato WP REST Cache plugin for WordPress. All releases from the first version through and including 2025.1.0 are vulnerable; any instance of the plugin running up to version 2025.1.0 is at risk.

Risk and Exploitability

The low EPSS score (<1%) suggests exploitation frequency is currently low, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is likely exposed through the plugin's REST API endpoint, and the lack of explicit authentication requirements in the description implies that unauthenticated or low‑privilege users could craft requests to trigger file inclusion. Once exploited, the attacker may read sensitive files, resulting in a confidentiality breach. With a CVSS score of 7.5, which indicates moderate to high severity, the potential impact is significant if the vulnerability is leveraged stealthily over time.

Generated by OpenCVE AI on April 30, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP REST Cache to a version newer than 2025.1.0.
  • If an upgrade cannot be performed immediately, disable the plugin or block its REST API routes to prevent exploitation.
  • Ensure that any custom code interacting with the plugin follows strict path validation or uses a whitelist of safe directories.

Generated by OpenCVE AI on April 30, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24783 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Acato WP REST Cache allows PHP Local File Inclusion. This issue affects WP REST Cache: from n/a through 2025.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Acato WP REST Cache allows PHP Local File Inclusion. This issue affects WP REST Cache: from n/a through 2025.1.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Acato WP REST Cache wp-rest-cache allows PHP Local File Inclusion.This issue affects WP REST Cache: from n/a through <= 2025.1.0.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Acato WP REST Cache allows PHP Local File Inclusion. This issue affects WP REST Cache: from n/a through 2025.1.0.
Title WordPress WP REST Cache <= 2025.1.0 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:17.309Z

Reserved: 2025-06-19T10:02:14.560Z

Link: CVE-2025-52716

cve-icon Vulnrichment

Updated: 2025-08-14T14:22:49.798Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:41.817

Modified: 2026-04-23T15:32:04.440

Link: CVE-2025-52716

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:30:16Z

Weaknesses