Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codesupplyco Networker networker allows PHP Local File Inclusion.This issue affects Networker: from n/a through <= 1.2.0.
Published: 2025-06-27
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper control of the filename used in PHP's include/require statements, allowing a Local File Inclusion (LFI) flaw. This weakness can be leveraged by an attacker to read arbitrary files residing on the server, potentially exposing configuration files, credentials, or source code. In the worst case, information gathered through LFI can aid further exploitation, compromising confidentiality of the system.

Affected Systems

WordPress theme Networker from the vendor codesupplyco is affected through version 1.2.0. Any site using this theme version is potentially vulnerable; newer releases are not listed as impacted.

Risk and Exploitability

The CVSS score of 8.1 categorises this flaw as High severity. The EPSS score is reported as less than 1%, indicating a very low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA's KEV catalog. Likely attack vectors involve a local attacker with access to the web application who can manipulate the filename parameter in the include/require logic, often via crafted HTTP requests. An attacker could therefore read sensitive local files and analyze server configuration.

Generated by OpenCVE AI on April 30, 2026 at 10:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Networker theme to a version newer than 1.2.0 to eliminate the LFI flaw
  • If an upgrade is not immediately possible, restrict the directories accessible to the include/require statement by modifying the theme code or using server‐level configuration to prevent reading of sensitive files
  • Deploy a web application firewall or similar filtering to block requests that attempt to inject suspicious filenames or directory traversal patterns

Generated by OpenCVE AI on April 30, 2026 at 10:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19294 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codesupplyco Networker allows PHP Local File Inclusion. This issue affects Networker: from n/a through 1.2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codesupplyco Networker allows PHP Local File Inclusion. This issue affects Networker: from n/a through 1.2.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codesupplyco Networker networker allows PHP Local File Inclusion.This issue affects Networker: from n/a through <= 1.2.0.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codesupplyco Networker allows PHP Local File Inclusion. This issue affects Networker: from n/a through 1.2.0.
Title WordPress Networker theme <= 1.2.0 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:27:24.604Z

Reserved: 2025-06-19T10:02:25.009Z

Link: CVE-2025-52723

cve-icon Vulnrichment

Updated: 2025-06-27T13:07:08.884Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T12:15:39.590

Modified: 2026-04-23T15:32:05.223

Link: CVE-2025-52723

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:30:34Z

Weaknesses