Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BuddyDev MediaPress mediapress allows PHP Local File Inclusion.This issue affects MediaPress: from n/a through <= 1.5.9.1.
Published: 2025-09-03
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MediaPress plugin performs a PHP include/require using a filename derived from user-controlled input without proper validation, which permits an attacker to read arbitrary files from the web server. The flaw can expose sensitive configuration data, credentials, or other secrets, and may provide a foothold for further exploitation if the included file is writable or contains executable PHP code. This vulnerability is classified under CWE‑98.

Affected Systems

BuddyDev MediaPress versions from the earliest available release through 1.5.9.1 are affected. Any WordPress site that has not upgraded past 1.5.9.1 and still uses MediaPress is at risk. No earlier version cutoff is specified, so all installations of 1.5.9.1 or earlier should be considered vulnerable.

Risk and Exploitability

The CVSS score of 7.5 places this case in the high severity range. The EPSS score below 1% indicates a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation is known. The most likely attack vector would involve a crafted HTTP request that triggers the unvalidated include call; based on the description, this inference is made rather than explicitly stated in the source material.

Generated by OpenCVE AI on April 30, 2026 at 07:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MediaPress to the latest released version provided by BuddyDev to remove the vulnerable include logic.
  • If an upgrade cannot be performed immediately, edit the plugin code to enforce strict whitelisting or validation of filenames before passing them to include or require.
  • Deploy a web application firewall or host‑based intrusion detection system configured to block directory traversal patterns and other LFI indicators.

Generated by OpenCVE AI on April 30, 2026 at 07:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26558 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BuddyDev MediaPress allows PHP Local File Inclusion. This issue affects MediaPress: from n/a through 1.5.9.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BuddyDev MediaPress allows PHP Local File Inclusion. This issue affects MediaPress: from n/a through 1.5.9.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BuddyDev MediaPress mediapress allows PHP Local File Inclusion.This issue affects MediaPress: from n/a through <= 1.5.9.1.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 03 Sep 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 03 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BuddyDev MediaPress allows PHP Local File Inclusion. This issue affects MediaPress: from n/a through 1.5.9.1.
Title WordPress MediaPress Plugin <= 1.5.9.1 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:09:07.040Z

Reserved: 2025-09-03T09:02:38.120Z

Link: CVE-2025-58608

cve-icon Vulnrichment

Updated: 2025-09-03T17:37:58.472Z

cve-icon NVD

Status : Deferred

Published: 2025-09-03T15:15:42.563

Modified: 2026-04-23T15:33:27.190

Link: CVE-2025-58608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:30:31Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')