Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hashthemes Easy Elementor Addons easy-elementor-addons allows PHP Local File Inclusion.This issue affects Easy Elementor Addons: from n/a through <= 2.2.8.
Published: 2025-09-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Easy Elementor Addons plugin from hashthemes contains an improper validation of file names used in PHP include/require statements. The flaw allows an attacker to supply a crafted path that points to arbitrary local files on the web server. By including a file that contains PHP code, the attacker can execute that code with the privileges of the web server process, or by including a plaintext configuration file they can obtain sensitive data. The weakness is a classic Local File Inclusion (CWE‑98) vulnerability.

Affected Systems

WordPress sites that have the Easy Elementor Addons plugin installed, any version up to and including 2.2.8. The issue applies to all releases from the earliest supported version through 2.2.8.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity. The EPSS score is less than 1 %, suggesting that exploitation is currently rare but technically feasible. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to craft a request that triggers the vulnerable include logic, typically through the plugin’s exposed functionality or a crafted URL. Once a valid local file is included, the attacker can read protected data or execute arbitrary PHP if the file contains code.

Generated by OpenCVE AI on April 30, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Easy Elementor Addons to the latest version (2.2.9 or newer) which removes the unsafe include logic.
  • If an immediate update is not possible, restrict the file system permissions so that the web server cannot read or execute files outside the intended plugin directories, and remove any ability for the plugin to include arbitrary paths.
  • Deploy a web application firewall or security plugin to block LFI attempts, and configure WordPress to disallow file editing (define('DISALLOW_FILE_EDIT', true);).

Generated by OpenCVE AI on April 30, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30488 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hashthemes Easy Elementor Addons allows PHP Local File Inclusion. This issue affects Easy Elementor Addons: from n/a through 2.2.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hashthemes Easy Elementor Addons allows PHP Local File Inclusion. This issue affects Easy Elementor Addons: from n/a through 2.2.8. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hashthemes Easy Elementor Addons easy-elementor-addons allows PHP Local File Inclusion.This issue affects Easy Elementor Addons: from n/a through <= 2.2.8.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Hashthemes
Hashthemes easy Elementor Addons
Wordpress
Wordpress wordpress
Vendors & Products Hashthemes
Hashthemes easy Elementor Addons
Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hashthemes Easy Elementor Addons allows PHP Local File Inclusion. This issue affects Easy Elementor Addons: from n/a through 2.2.8.
Title WordPress Easy Elementor Addons Plugin <= 2.2.8 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Hashthemes Easy Elementor Addons
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:50.817Z

Reserved: 2025-09-06T04:45:16.548Z

Link: CVE-2025-58973

cve-icon Vulnrichment

Updated: 2025-09-23T13:56:45.883Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:22.803

Modified: 2026-04-23T15:33:58.390

Link: CVE-2025-58973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:30:23Z

Weaknesses