Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme eventlist eventlist allows PHP Local File Inclusion.This issue affects eventlist: from n/a through <= 1.9.2.
Published: 2025-08-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the ovatheme eventlist plugin involves improper control of filenames used in PHP include or require statements, allowing an attacker to trigger a Local File Inclusion (LFI). This weakness, identified as CWE‑98, enables the inclusion of any file from the server’s filesystem that is reachable through the plugin’s input. If an attacker can supply a crafted path, sensitive files may be read or, in some configurations, code may be executed, giving the attacker full compromise of the application and potentially the host. The vulnerability is present in all released versions through 1.9.2.

Affected Systems

WordPress users who have installed the Ovatheme eventlist plugin, any version up to and including 1.9.2. The issue affects every deployment of the plugin within that version range, regardless of other configurations or plugins present.

Risk and Exploitability

The CVSS score of 8.1 places the issue in the high severity range, while the EPSS score of less than 1% indicates that widespread exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is manipulation of the plugin’s file path parameter, which is typically exposed through a URL or form input. In scenarios where the plugin allows unauthenticated access to that parameter, an attacker could launch the attack directly; otherwise authenticated users could use the LFI to read internal files or execute code if the plugin’s environment permits it.

Generated by OpenCVE AI on April 30, 2026 at 15:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ovatheme eventlist plugin to the latest stable release (1.9.3 or newer if available) to apply the vendor’s fix.
  • If an upgrade is not immediately possible, disable the eventlist plugin or restrict its use to trusted users until the patch can be applied.
  • Implement input validation on the file path parameter—ensure that only expected directories or filenames are allowed, or reject any user input that attempts directory traversal.

Generated by OpenCVE AI on April 30, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25335 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme eventlist allows PHP Local File Inclusion. This issue affects eventlist: from n/a through 1.9.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme eventlist allows PHP Local File Inclusion. This issue affects eventlist: from n/a through 1.9.2. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme eventlist eventlist allows PHP Local File Inclusion.This issue affects eventlist: from n/a through <= 1.9.2.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme eventlist allows PHP Local File Inclusion. This issue affects eventlist: from n/a through 1.9.2.
Title WordPress eventlist plugin <= 1.9.2 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:20.749Z

Reserved: 2025-06-27T10:27:45.005Z

Link: CVE-2025-53204

cve-icon Vulnrichment

Updated: 2025-08-20T15:37:42.229Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:40.263

Modified: 2026-04-23T15:32:17.173

Link: CVE-2025-53204

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:00:13Z

Weaknesses