Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Jiro Sasamoto Ray Enterprise Translation lingotek-translation allows PHP Local File Inclusion.This issue affects Ray Enterprise Translation: from n/a through <= 1.7.1.
Published: 2025-12-18
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of filenames used in PHP include/require statements allows an attacker to specify arbitrary files to be read or executed within the WordPress installation. The vulnerability is classified as a PHP Local File Inclusion that can potentially expose sensitive configuration files or lead to arbitrary code execution if malicious content is supplied. The flaw falls under CWE-98, and if exploited it threatens the confidentiality of site data and the integrity of the application logic.

Affected Systems

The Ray Enterprise Translation plugin for WordPress, developed by Jiro Sasamoto, is vulnerable in all releases from the initial version through 1.7.1. Any WordPress site that has this plugin installed and has not upgraded to a version beyond 1.7.1 is directly affected.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high risk, yet the EPSS suggests a very low likelihood of exploitation—under 1 percent. It is not listed in the CISA KEV catalog, indicating no widespread exploitation to date. Attackers would need the ability to influence the include path parameter, typically through an authenticated site or by manipulating request inputs that feed into the plugin’s include logic. The potential impact ranges from information disclosure to full control of the affected WordPress instance if arbitrary PHP code can be included. Given the low EPSS but high severity, the threat remains significant for sites that rely on this plugin.

Generated by OpenCVE AI on April 29, 2026 at 22:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ray Enterprise Translation to a version newer than 1.7.1, or apply the latest security patch if available.
  • If an upgrade is not immediately possible, disable or uninstall the Ray Enterprise Translation plugin to stop the vulnerable include mechanism from being accessible.
  • Configure the WordPress environment to restrict PHP file inclusion: set open_basedir to the webroot, disable allow_url_include, and delete any __autoload PHP files that could be targeted.

Generated by OpenCVE AI on April 29, 2026 at 22:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jbhovik Ray Enterprise Translation lingotek-translation allows PHP Local File Inclusion.This issue affects Ray Enterprise Translation: from n/a through <= 1.7.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Jiro Sasamoto Ray Enterprise Translation lingotek-translation allows PHP Local File Inclusion.This issue affects Ray Enterprise Translation: from n/a through <= 1.7.1.

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Sun, 21 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Jbhovik
Jbhovik ray Enterprise Translation
Wordpress
Wordpress wordpress
Vendors & Products Jbhovik
Jbhovik ray Enterprise Translation
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jbhovik Ray Enterprise Translation lingotek-translation allows PHP Local File Inclusion.This issue affects Ray Enterprise Translation: from n/a through <= 1.7.1.
Title WordPress Ray Enterprise Translation plugin <= 1.7.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Jbhovik Ray Enterprise Translation
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:54.254Z

Reserved: 2025-09-25T15:19:48.981Z

Link: CVE-2025-60076

cve-icon Vulnrichment

Updated: 2025-12-18T14:49:55.995Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:07.670

Modified: 2026-04-27T16:16:31.757

Link: CVE-2025-60076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:30:21Z

Weaknesses