Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Aman Funnel Builder by FunnelKit funnel-builder allows PHP Local File Inclusion.This issue affects Funnel Builder by FunnelKit: from n/a through <= 3.11.1.
Published: 2025-08-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper control of the filename used in a PHP include/require statement within the Funnel Builder by FunnelKit plugin. An attacker who can make the plugin resolve a crafted filename may cause the server to include any local file. If the attacker supplies a file containing PHP code, execution on the web server can result, leading to remote code execution or sensitive data disclosure. The weakness is identified as CWE-98 and is represented by a CVSS score of 7.5.

Affected Systems

The issue affects the Aman Funnel Builder by FunnelKit plugin on WordPress installations with versions up to and including 3.11.1. No additional product versions are listed, and no common platform enumeration strings are available.

Risk and Exploitability

The EPSS score is less than 1%, indicating that the likelihood of global exploitation is currently low, yet the CVSS score of 7.5 signals a moderate to high risk if an adversary succeeds. The vulnerability is not currently listed in the CISA KEV catalog, so it has not been confirmed as widely exploited. The attack vector is likely an unprivileged or authenticated user who can send a request to a plugin endpoint that processes the filename parameter. If the local filesystem is improperly configured, the attacker could also read sensitive files, but direct code execution requires inclusion of a PHP file.

Generated by OpenCVE AI on April 30, 2026 at 08:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Funnel Builder by FunnelKit plugin to the latest available version (>=3.12) where this LFI vulnerability has been patched.
  • If an immediate update is not viable, configure the plugin to restrict include paths by using a whitelist or by overriding the filename handling to allow only files from a designated safe directory.
  • Apply strict file-system permissions so that the web server user cannot read or write arbitrary files; this limits the impact of an attacker who may attempt to include a local file.

Generated by OpenCVE AI on April 30, 2026 at 08:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28567 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FunnelKit Funnel Builder by FunnelKit allows PHP Local File Inclusion. This issue affects Funnel Builder by FunnelKit: from n/a through 3.11.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FunnelKit Funnel Builder by FunnelKit allows PHP Local File Inclusion. This issue affects Funnel Builder by FunnelKit: from n/a through 3.11.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Aman Funnel Builder by FunnelKit funnel-builder allows PHP Local File Inclusion.This issue affects Funnel Builder by FunnelKit: from n/a through <= 3.11.1.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 21 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Funnelkit
Funnelkit funnel Builder
Wordpress
Wordpress wordpress
Vendors & Products Funnelkit
Funnelkit funnel Builder
Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FunnelKit Funnel Builder by FunnelKit allows PHP Local File Inclusion. This issue affects Funnel Builder by FunnelKit: from n/a through 3.11.1.
Title WordPress Funnel Builder by FunnelKit Plugin <= 3.11.1 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Funnelkit Funnel Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:05:21.405Z

Reserved: 2025-07-28T10:56:48.471Z

Link: CVE-2025-54750

cve-icon Vulnrichment

Updated: 2025-08-20T15:17:16.125Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:49.747

Modified: 2026-04-23T15:32:55.940

Link: CVE-2025-54750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:00:19Z

Weaknesses