Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Serhii Pasyuk Gmedia Photo Gallery grand-media allows PHP Local File Inclusion.This issue affects Gmedia Photo Gallery: from n/a through <= 1.23.0.
Published: 2025-06-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from inadequate sanitisation of filenames used in PHP include/require statements within the Gmedia Photo Gallery plugin. An attacker can supply a crafted filename that causes the plugin to read arbitrary local files and, if the file contains PHP code, execute it. This flaw corresponds to CWE-98 and can compromise confidentiality, integrity, and availability of the affected WordPress installation, potentially giving the attacker remote code execution capabilities.

Affected Systems

WordPress users running the Serhii Pasyuk Gmedia Photo Gallery plugin built by Grand Media, at any release from the initial version up to and including 1.23.0. No specific build numbers beyond the maximum 1.23.0 are listed as affected.

Risk and Exploitability

The CVSS score of 7.5 marks this as a high‑severity issue. The EPSS score of less than 1 % indicates a very low but nonzero probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the WordPress administrative or public interfaces where the plugin parses user‑supplied data. Successful exploitation would require the attacker to supply a malicious filename that resolves to a local PHP file, enabling code execution on the server.

Generated by OpenCVE AI on April 30, 2026 at 17:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gmedia Photo Gallery to the latest version that is greater than 1.23.0. If a patch is not yet released, consider removing the plugin from the WordPress installation until an update is available.
  • If removal is not feasible, replace the Gmedia Photo Gallery plugin with a vetted alternative gallery solution that does not have known LFI vulnerabilities.
  • As an interim containment measure, relocate the plugin’s directory outside the web server’s document root or set restrictive file‑system permissions so that any files included by the plugin cannot be executed by the web server.

Generated by OpenCVE AI on April 30, 2026 at 17:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19395 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Serhii Pasyuk Gmedia Photo Gallery allows PHP Local File Inclusion. This issue affects Gmedia Photo Gallery: from n/a through 1.23.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Serhii Pasyuk Gmedia Photo Gallery allows PHP Local File Inclusion. This issue affects Gmedia Photo Gallery: from n/a through 1.23.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Serhii Pasyuk Gmedia Photo Gallery grand-media allows PHP Local File Inclusion.This issue affects Gmedia Photo Gallery: from n/a through <= 1.23.0.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Serhii Pasyuk Gmedia Photo Gallery allows PHP Local File Inclusion. This issue affects Gmedia Photo Gallery: from n/a through 1.23.0.
Title WordPress Gmedia Photo Gallery plugin <= 1.23.0 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:22.178Z

Reserved: 2025-06-27T11:58:24.740Z

Link: CVE-2025-53257

cve-icon Vulnrichment

Updated: 2025-06-27T14:36:19.463Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T14:15:45.103

Modified: 2026-04-23T15:32:22.343

Link: CVE-2025-53257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:15:42Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')