Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ovatheme Events ova-events allows PHP Local File Inclusion.This issue affects Ovatheme Events: from n/a through <= 1.2.8.
Published: 2025-08-28
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can cause the Ovatheme Events plugin to include a local file through an unsanitized filename parameter. Based on the description, it is inferred that this improper control of the include/require call allows the plugin to read or execute files on the server, which could potentially expose configuration files or credentials; the ability to trigger code execution is also inferred if a malicious file is placed in the web root.

Affected Systems

WordPress sites that have the Ovatheme Events plugin up to and including version 1.2.8 are affected. Any installation of the plugin with version 1.2.8 or earlier is vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, indicating high severity, but its EPSS score is less than 1%, suggesting a low likelihood of exploitation at this time. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the attack likely requires the attacker to trigger the include path and to have the ability to place or identify a sensitive local file; if achieved, the impact could include plaintext disclosure or code execution on the affected server.

Generated by OpenCVE AI on April 30, 2026 at 15:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ovatheme Events plugin to the latest version (1.2.9 or newer) to remove the vulnerable include logic.
  • If an upgrade is not immediately possible, configure the web server to deny execution and reading of files outside the application directory, and restrict the PHP include path to a safe directory only.
  • Change the file permissions on the WordPress installation to prevent the web server from accessing sensitive files that should not be publicly readable, and monitor access logs for suspicious include attempts.

Generated by OpenCVE AI on April 30, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25986 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ovatheme Events allows PHP Local File Inclusion. This issue affects Ovatheme Events: from n/a through 1.2.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ovatheme Events allows PHP Local File Inclusion. This issue affects Ovatheme Events: from n/a through 1.2.8. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ovatheme Events ova-events allows PHP Local File Inclusion.This issue affects Ovatheme Events: from n/a through <= 1.2.8.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ovatheme Events allows PHP Local File Inclusion. This issue affects Ovatheme Events: from n/a through 1.2.8.
Title WordPress Ovatheme Events Plugin <= 1.2.8 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:26.705Z

Reserved: 2025-07-03T14:51:06.794Z

Link: CVE-2025-53576

cve-icon Vulnrichment

Updated: 2025-08-28T18:36:17.210Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:16:04.770

Modified: 2026-04-23T15:32:38.103

Link: CVE-2025-53576

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:45:40Z

Weaknesses