Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in UnboundStudio Accordion FAQ allows PHP Local File Inclusion.

This issue affects Accordion FAQ: from n/a through 2.2.1.
Published: 2026-06-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper control of the filename used by the Accordion FAQ plugin’s PHP include/require statement allows an attacker to include arbitrary files from the server. By manipulating input to the plugin, an adversary can read sensitive files such as configuration files, credentials, or logs, and may be able to execute malicious code if the attacker can point the include at a PHP file. This results in a serious breach of confidentiality and integrity and could lead to full system compromise.

Affected Systems

The vulnerability affects the UnboundStudio Accordion FAQ plugin for WordPress, versions from an unspecified initial release through and including 2.2.1.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score is not available, so the probability of exploitation is unknown; the vulnerability is not listed in the CISA KEV catalog. Attackers can likely exploit this through the plugin’s front‑end or administrative interface, though the specific authentication requirements are not detailed in the description, implying that even unauthenticated users may be able to supply input to trigger the inclusion.

Generated by OpenCVE AI on June 2, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Accordion FAQ plugin to a version newer than 2.2.1 once a fix is released.
  • If upgrading is not immediately possible, uninstall the plugin entirely to remove the vulnerable code path.
  • Restrict file permissions on critical configuration files and directories so they are not readable by the web server process, reducing the data exposed by LFI attempts.
  • Configure PHP to disable allow_url_include and apply open_basedir restrictions to limit include/require to safe directories.
  • Audit server logs for abnormal file inclusion attempts and implement application firewall rules that block anomalous include patterns.

Generated by OpenCVE AI on June 2, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in UnboundStudio Accordion FAQ allows PHP Local File Inclusion. This issue affects Accordion FAQ: from n/a through 2.2.1.
Title WordPress Accordion FAQ Plugin <= 2.2.1 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-02T12:11:37.367Z

Reserved: 2025-08-22T11:37:59.647Z

Link: CVE-2025-58024

cve-icon Vulnrichment

Updated: 2026-06-02T12:11:31.695Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T12:16:16.623

Modified: 2026-06-02T13:03:31.153

Link: CVE-2025-58024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T12:30:08Z

Weaknesses